14.5. Creating a custom policy for USB devices

The following procedure contains steps for creating a rule set for USB devices that reflects the requirements of your scenario.

Conditions préalables

The usbguard service is installed and running.
The /etc/usbguard/rules.conf file contains an initial rule set generated by the usbguard generate-policy command.

Procédure

Create a policy which authorizes the currently connected USB devices, and store the generated rules to the rules.conf file:
```
# usbguard generate-policy --no-hashes > ./rules.conf
```
The --no-hashes option does not generate hash attributes for devices. Avoid hash attributes in your configuration settings because they might not be persistent.
Edit the rules.conf file with a text editor of your choice, for example:
```
# vi ./rules.conf
```
Add, remove, or edit the rules as required. For example, the following rule allows only devices with a single mass storage interface to interact with the system:
```
allow with-interface equals { 08:*:* }
```
See the usbguard-rules.conf(5) man page for a detailed rule-language description and more examples.

Install the updated policy:

# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf

Restart the usbguard daemon to apply your changes:
```
# systemctl restart usbguard
```

Vérification

Ressources supplémentaires