Red Hat Summit4.12. Using USBGuard
The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce a user-defined policy, USBGuard uses the Linux kernel USB device authorization feature. The USBGuard framework provides the following components:
- The daemon component with an inter-process communication (IPC) interface for dynamic interaction and policy enforcement.
- The command-line interface to interact with a running USBGuard instance.
- The rule language for writing USB device authorization policies.
- The C++ API for interacting with the daemon component implemented in a shared library.
4.12.1. Installing USBGuard
Copy linkLink copied to clipboard!
To install the usbguard package, enter the following command as
root:
yum install usbguard
~]# yum install usbguard
To create the initial rule set, enter the following command as
root:
usbguard generate-policy > /etc/usbguard/rules.conf
~]# usbguard generate-policy > /etc/usbguard/rules.confNote
To customize the USBGuard rule set, edit the
/etc/usbguard/rules.conf file. See the usbguard-rules.conf(5) man page for more information. Additionally, see Section 4.12.3, “Using the Rule Language to Create Your Own Policy” for examples.
To start the USBGuard daemon, enter the following command as
root:
To ensure USBGuard starts automatically at system start, use the following command as
root:
systemctl enable usbguard.service
~]# systemctl enable usbguard.service
Created symlink from /etc/systemd/system/basic.target.wants/usbguard.service to /usr/lib/systemd/system/usbguard.service.
To list all USB devices recognized by USBGuard, enter the following command as
root:
usbguard list-devices
~]# usbguard list-devices
1: allow id 1d6b:0002 serial "0000:00:06.7" name "EHCI Host Controller" hash "JDOb0BiktYs2ct3mSQKopnOOV2h9MGYADwhT+oUtF2s=" parent-hash "4PHGcaDKWtPjKDwYpIRG722cB9SlGz9l9Iea93+Gt9c=" via-port "usb1" with-interface 09:00:00
...
6: block id 1b1c:1ab1 serial "000024937962" name "Voyager" hash "CrXgiaWIf2bZAU+5WkzOE7y0rdSO82XMzubn7HDb95Q=" parent-hash "JDOb0BiktYs2ct3mSQKopnOOV2h9MGYADwhT+oUtF2s=" via-port "1-3" with-interface 08:06:50
To authorize a device to interact with the system, use the
allow-device option:
usbguard allow-device 6
~]# usbguard allow-device 6
To deauthorize and remove a device from the system, use the
reject-device option. To just deauthorize a device, use the usbguard command with the block-device option:
usbguard block-device 6
~]# usbguard block-device 6
USBGuard uses the block and reject terms with the following meaning:
- block - do not talk to this device for now
- reject - ignore this device as if did not exist
To see all options of the
usbguard command, enter it with the --help directive:
usbguard --help
~]$ usbguard --help4.12.2. Creating a White List and a Black List
Copy linkLink copied to clipboard!
The
usbguard-daemon.conf file is loaded by the usbguard daemon after it parses its command-line options and is used to configure runtime parameters of the daemon. To override the default configuration file (/etc/usbguard/usbguard-daemon.conf), use the -c command-line option. See the usbguard-daemon(8) man page for further details.
To create a white list or a black list, edit the
usbguard-daemon.conf file and use the following options:
USBGuard configuration file
RuleFile=<path>- The
usbguarddaemon use this file to load the policy rule set from it and to write new rules received through the IPC interface. IPCAllowedUsers=<username> [<username> ...]- A space-delimited list of user names that the daemon will accept IPC connections from.
IPCAllowedGroups=<groupname> [<groupname> ...]- A space-delimited list of group names that the daemon will accept IPC connections from.
IPCAccessControlFiles=<path>- Path to a directory holding the IPC access control files.
ImplicitPolicyTarget=<target>- How to treat devices that do not match any rule in the policy. Accepted values: allow, block, reject.
PresentDevicePolicy=<policy>- How to treat devices that are already connected when the daemon starts:
- allow - authorize every present device
- block - deauthorize every present device
- reject - remove every present device
- keep - just sync the internal state and leave it
- apply-policy - evaluate the ruleset for every present device
PresentControllerPolicy=<policy>- How to treat USB controllers that are already connected when the daemon starts:
- allow - authorize every present device
- block - deauthorize every present device
- reject - remove every present device
- keep - just sync the internal state and leave it
- apply-policy - evaluate the ruleset for every present device
Example 4.5. USBGuard configuration
The following configuration file orders the
usbguard daemon to load rules from the /etc/usbguard/rules.conf file and it allows only users from the usbguard group to use the IPC interface:
RuleFile=/etc/usbguard/rules.conf IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
RuleFile=/etc/usbguard/rules.conf
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
To specify the IPC Access Control List (ACL), use the
usbguard add-user or usbguard remove-user commands. See the usbguard(1) for more details. In this example, to allow users from the usbguard group to modify USB device authorization state, list USB devices, listen to exception events, and list USB authorization policy, enter the following command as root:
usbguard add-user -g usbguard --devices=modify,list,listen --policy=list --exceptions=listen
~]# usbguard add-user -g usbguard --devices=modify,list,listen --policy=list --exceptions=listenImportant
The daemon provides the USBGuard public IPC interface. In Red Hat Enterprise Linux, the access to this interface is by default limited to the
root user only. Consider setting either the IPCAccessControlFiles option (recommended) or the IPCAllowedUsers and IPCAllowedGroups options to limit access to the IPC interface. Do not leave the ACL unconfigured as this exposes the IPC interface to all local users and it allows them to manipulate the authorization state of USB devices and modify the USBGuard policy.
For more information, see the IPC Access Control section in the
usbguard-daemon.conf(5) man page.
4.12.3. Using the Rule Language to Create Your Own Policy
Copy linkLink copied to clipboard!
The
usbguard daemon decides whether to authorize a USB device based on a policy defined by a set of rules. When a USB device is inserted into the system, the daemon scans the existing rules sequentially and when a matching rule is found, it either authorizes (allows), deauthorizes (blocks) or removes (rejects) the device, based on the rule target. If no matching rule is found, the decision is based on an implicit default target. This implicit default is to block the device until a decision is made by the user.
The rule language grammar is the following:
For more details about the rule language such as targets, device specification, or device attributes, see the
usbguard-rules.conf(5) man page.
Example 4.6. USBguard example policies
- Allow USB mass storage devices and block everything else
- This policy blocks any device that is not just a mass storage device. Devices with a hidden keyboard interface in a USB flash disk are blocked. Only devices with a single mass storage interface are allowed to interact with the operating system. The policy consists of a single rule:
allow with-interface equals { 08:*:* }allow with-interface equals { 08:*:* }Copy to Clipboard Copied! Toggle word wrap Toggle overflow The blocking is implicit because there is no block rule. Implicit blocking is useful to desktop users because a desktop applet listening to USBGuard events can ask the user for a decision if an implicit target was selected for a device. - Allow a specific Yubikey device to be connected through a specific port
- Reject everything else on that port.
allow 1050:0011 name "Yubico Yubikey II" serial "0001234567" via-port "1-2" hash "044b5e168d40ee0245478416caf3d998" reject via-port "1-2"
allow 1050:0011 name "Yubico Yubikey II" serial "0001234567" via-port "1-2" hash "044b5e168d40ee0245478416caf3d998" reject via-port "1-2"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Reject devices with suspicious combination of interfaces
- A USB flash disk which implements a keyboard or a network interface is very suspicious. The following set of rules forms a policy which allows USB flash disks and explicitly rejects devices with an additional and suspicious interface.
allow with-interface equals { 08:*:* } reject with-interface all-of { 08:*:* 03:00:* } reject with-interface all-of { 08:*:* 03:01:* } reject with-interface all-of { 08:*:* e0:*:* } reject with-interface all-of { 08:*:* 02:*:* }allow with-interface equals { 08:*:* } reject with-interface all-of { 08:*:* 03:00:* } reject with-interface all-of { 08:*:* 03:01:* } reject with-interface all-of { 08:*:* e0:*:* } reject with-interface all-of { 08:*:* 02:*:* }Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note
Blacklisting is the wrong approach and you should not just blacklist a set of devices and allow the rest. The policy above assumes that blocking is the implicit default. Rejecting a set of devices considered as "bad" is a good approach how to limit the exposure of the system to such devices as much as possible. - Allow a keyboard-only USB device
- The following rule allows a keyboard-only USB device only if there is not a USB device with a keyboard interface already allowed.
allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })Copy to Clipboard Copied! Toggle word wrap Toggle overflow
After an initial policy generation using the
usbguard generate-policy command, edit the /etc/usbguard/rules.conf to customize the USBGuard policy rules.
usbguard generate-policy > rules.conf vim rules.conf
~]$ usbguard generate-policy > rules.conf
~]$ vim rules.conf
To install the updated policy and make your changes effective, use the following commands:
install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
~]# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf4.12.4. Additional Resources
Copy linkLink copied to clipboard!
For additional information on USBGuard, see the following documentation:
usbguard(1)man pageusbguard-rules.conf(5)man pageusbguard-daemon(8)man pageusbguard-daemon.conf(5)man page
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}