💾 Archived View for axionfield.space › gemlog › 20220615-usbguard.gmi captured on 2024-02-05 at 09:39:06. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-07-16)
-=-=-=-=-=-=-
I recently discover usbguard:
https://github.com/USBGuard/usbguard
This is a daemon that uses some kernel constructs to apply policies on whether
the kernel should accept of not usb devices. This can be very useful to prevent
anybody to plug USB stuff in your devices, like a rubber ducky or other bad USB
sticks. The tool allows a vast range of possibilities, but I want to keep my
laptop usable and not have to add rules for anything I plug in.
However, I only want to accept new USB devices when my laptop is not locked.
This should prevent 99% of attacks (that are already highly improbable). So
here's how I did this on Arch.
The first thing to do is to install usbguard:
sudo pacman -S usbguard systemctl enable --now usbguard
Now we want to whitelist our known USB devices. Normally the install process
does it, but just to be sure, I'll show how to do this. It can be also useful to
rerun this, if your set of known devices change. Plug all the things you want to
be always be allowed (if you don't you'll need to add rules yourself later) and
run:
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf systemctl restart usbguard
Now usbguard will block any devices that was not plugged at the time of the
policy generation. You can always add new rules later with usbguard append-rule.
You can control the default policy for new devices using:
sudo usbguard set-parameter ImplicitPolicyTarget allow sudo usbguard set-parameter ImplicitPolicyTarget block
You can check the current state with:
sudo usbguard get-parameter ImplicitPolicyTarget
In my scenario, I don't really care that you can change policies when you have
access to a logged shell. So I just add this to /etc/sudoers.d/usbguard:
YOUR_USERNAME ALL=(ALL) NOPASSWD: /usr/bin/usbguard set-parameter ImplicitPolicyTarget *
Don't forget to replace YOUR_USERNAME by, well, your username.
I use swaylock and a systemd service to lock my screen:
[Unit] Description=Launch swaylock [Service] Type=forking ExecStart=swaylock [Install] WantedBy=default.target
So it's now very easy to add a pre/post hook to block/allow new USB devices by
default. So the file can be edited like so:
[Unit] Description=Launch swaylock [Service] Type=forking ExecStartPre=sudo usbguard set-parameter ImplicitPolicyTarget block ExecStart=swaylock ExecStop=sudo usbguard set-parameter ImplicitPolicyTarget allow [Install] WantedBy=default.target
Now everytime you start your lockscreen, it will block new USB devices by
default, and when the lockscreen exits, the policy will be reset to allow all
by default.
Finally, I just add this to my .zprofile (you can adapt to your own shell), so
the policy is set to allow when I login trough a tty:
sudo usbguard set-parameter ImplicitPolicyTarget allow
Life is good.