見出し画像

Appendix USBGuard


環境

  • RockyLinux 9

  • Ubuntu 22.04

  • usbguard 1.0.0


RockyLinux 9

インストールするパッケージは "usbguard"

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dnf install usbguard 
[root@lpic303-rocky34 ~]#

"usbguard" のサービスが起動していないと `usbguard` コマンドが使えない

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# systemctl is-enabled usbguard.service
disabled
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# systemctl start usbguard.service
[root@lpic303-rocky34 ~]#

`usbguard` コマンドのヘルプ

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard
 Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ...

 Options:

 Commands:
  get-parameter <name>           Get the value of a runtime parameter.
  set-parameter <name> <value>   Set the value of a runtime parameter.
  list-devices                   List all USB devices recognized by the USBGuard daemon.
  allow-device <id|rule|p-rule>  Authorize a device to interact with the system.
  block-device <id|rule|p-rule>  Deauthorize a device.
  reject-device <id|rule|p-rule> Deauthorize and remove a device from the system.

  list-rules                     List the rule set (policy) used by the USBGuard daemon.
  append-rule <rule>             Append a rule to the rule set.
  remove-rule <id>               Remove a rule from the rule set.

  generate-policy                Generate a rule set (policy) based on the connected USB devices.
  watch                          Watch for IPC interface events and print them to stdout.
  read-descriptor                Read a USB descriptor from a file and print it in human-readable form.

  add-user <name>                Add USBGuard IPC user/group (requires root privilges)
  remove-user <name>             Remove USBGuard IPC user/group (requires root privileges)

[root@lpic303-rocky34 ~]#

`lsusb` コマンドと `usbguard` コマンドの違い

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
[root@lpic303-rocky34 ~]#



Ubuntu22.04

root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# apt install usbguard
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# systemctl is-enabled usbguard.service
enabled
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# usbguard
 Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ...

 Options:

 Commands:
  get-parameter <name>           Get the value of a runtime parameter.
  set-parameter <name> <value>   Set the value of a runtime parameter.
  list-devices                   List all USB devices recognized by the USBGuard daemon.
  allow-device <id|rule|p-rule>  Authorize a device to interact with the system.
  block-device <id|rule|p-rule>  Deauthorize a device.
  reject-device <id|rule|p-rule> Deauthorize and remove a device from the system.

  list-rules                     List the rule set (policy) used by the USBGuard daemon.
  append-rule <rule>             Append a rule to the rule set.
  remove-rule <id>               Remove a rule from the rule set.

  generate-policy                Generate a rule set (policy) based on the connected USB devices.
  watch                          Watch for IPC interface events and print them to stdout.
  read-descriptor                Read a USB descriptor from a file and print it in human-readable form.

  add-user <name>                Add USBGuard IPC user/group (requires root privilges)
  remove-user <name>             Remove USBGuard IPC user/group (requires root privileges)

root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# usbguard list-devices
4: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
5: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
6: allow id 80ee:0021 serial "" name "USB Tablet" hash "8S88DbsXkyb93aEG099kxcbjrHSGfpZEJ8W0048wl1A=" parent-hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" via-port "2-1" with-interface 03:00:00 with-connect-type "unknown"
root@lpic303-ubuntu35:~#

実行例

以下の実行例では、256MBの古いUSBメモリを接続したときの様子。

USBメモリを接続し `lsusb` コマンドで接続されていることが確認できる(1行目の "ID 0ea0:2168" )。
しかし、`fdisk` コマンドではそれらしいデバイスは表示されない。

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# lsusb
Bus 002 Device 002: ID 0ea0:2168 Ours Technology, Inc. Transcend JetFlash 2.0 / Astone USB Drive / Intellegent Stick 2.0
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# fdisk -l | grep "^Disk /dev"
Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/sdc: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/mapper/rl-root: 45.04 GiB, 48364519424 bytes, 94461952 sectors
Disk /dev/mapper/rl-swap: 3.95 GiB, 4244635648 bytes, 8290304 sectors
[root@lpic303-rocky34 ~]#

`dmesg` コマンドで確認すると ”Device is not authorized for usage” と表示されており、`usbguard list-devices` コマンドで "blocked" となっている。 

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dmesg
   : 
[ 3325.565935] usb 2-1: New USB device found, idVendor=0ea0, idProduct=2168, bcdDevice= 2.00
[ 3325.565941] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 3325.565943] usb 2-1: Product: Flash Disk
[ 3325.565945] usb 2-1: Manufacturer: USB
[ 3325.565947] usb 2-1: SerialNumber: 230760A43EE81145
[ 3325.572907] usb 2-1: Device is not authorized for usage
   : 
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#

allow-device サブコマンド

`allow-device` サブコマンドでブロックされているUSBメモリメモリを有効化してみる

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard allow-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#

`dmesg` コマンドでも接続されたことが確認できる

[root@lpic303-rocky34 ~]# dmesg
   : 
[ 4123.812653] usb 2-1: authorized to connect
[ 4123.828334] usb-storage 2-1:1.0: USB Mass Storage device detected
[ 4123.829749] scsi host5: usb-storage 2-1:1.0
[ 4123.830030] usbcore: registered new interface driver usb-storage
[ 4123.836720] usbcore: registered new interface driver uas
[ 4124.845908] scsi 5:0:0:0: Direct-Access     BUFFALO  ClipDrive        2.00 PQ: 0 ANSI: 2
[ 4124.846427] sd 5:0:0:0: Attached scsi generic sg4 type 0
[ 4124.979150] sd 5:0:0:0: [sdd] 512000 512-byte logical blocks: (262 MB/250 MiB)
[ 4124.990803] sd 5:0:0:0: [sdd] Write Protect is off
[ 4124.990809] sd 5:0:0:0: [sdd] Mode Sense: 03 00 00 00
[ 4125.001756] sd 5:0:0:0: [sdd] No Caching mode page found
[ 4125.001762] sd 5:0:0:0: [sdd] Assuming drive cache: write through
[ 4125.079295]  sdd: sdd1
[ 4125.079473] sd 5:0:0:0: [sdd] Attached SCSI removable disk
   : 
[root@lpic303-rocky34 ~]#

`fdisk` コマンドでも確認できる
最後の行 "Disk /dev/sdd: 250 MiB ~" が接続したUSBメモリ 

[root@lpic303-rocky34 ~]# 
[root@lpic303-rocky34 ~]# fdisk -l | grep "^Disk /dev"
Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/sdc: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/mapper/rl-root: 45.04 GiB, 48364519424 bytes, 94461952 sectors
Disk /dev/mapper/rl-swap: 3.95 GiB, 4244635648 bytes, 8290304 sectors
Disk /dev/sdd: 250 MiB, 262144000 bytes, 512000 sectors
[root@lpic303-rocky34 ~]#

block-device サブコマンド

`block-device` コマンドでブロックしてみると、`fdisk`コマンドでも表示されなくなった。
このあとUSBメモリを抜き差ししても`fdisk`コマンドでも表示されることはなかった。

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard block-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# fdisk -l | grep "^Disk /dev"
Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/sdc: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/mapper/rl-root: 45.04 GiB, 48364519424 bytes, 94461952 sectors
Disk /dev/mapper/rl-swap: 3.95 GiB, 4244635648 bytes, 8290304 sectors
[root@lpic303-rocky34 ~]#

reject-device サブコマンド

ちなみに、`usbguard reject-device` コマンドだと、接続されているUSBメモリに対してブロックに変更して、USBメモリデバイスの接続を解除するまでやってくれる。

★USBメモリがブロックされている状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
5: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#

★USBメモリのブロックを解除した状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard allow-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
5: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#

★USBメモリを `reject-device` した状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard reject-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
[root@lpic303-rocky34 ~]#

★USBメモリを再接続したが、ブロックされている状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
6: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#

generate-policy サブコマンド

`generate-policy` サブコマンドでポリシーを作成することもできる。

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard generate-policy > rules.conf
[root@lpic303-rocky34 ~]# cat rules.conf
allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" with-interface 09:00:00 with-connect-type ""
allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" with-interface 08:06:50 with-connect-type "unknown"
[root@lpic303-rocky34 ~]#

作成したポリシーは `install ` コマンドで "/etc/usbguard/rules.conf" に配置し、"usbguard" サービスを再起動すると読み込まれる。

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# systemctl restart usbguard
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cat /etc/usbguard/rules.conf
allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" with-interface 09:00:00 with-connect-type ""
allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" with-interface 08:06:50 with-connect-type "unknown"
[root@lpic303-rocky34 ~]#

list-lures サブコマンド

"usbguard" サービスが実行している今現在のルールは `list-lures` サブコマンドで確認できる。

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-rules
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" with-interface 09:00:00 with-connect-type ""
3: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk      " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" with-interface 08:06:50 with-connect-type "unknown"
[root@lpic303-rocky34 ~]#

設定ファイル

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /etc/usbguard/
[root@lpic303-rocky34 usbguard]#
[root@lpic303-rocky34 usbguard]# ls -la
合計 24
drwxr-xr-x.  4 root root   93  28 23:31 .
drwxr-xr-x. 89 root root 8192  210 23:00 ..
drwxr-xr-x.  2 root root    6  424  2023 IPCAccessControl.d
-rw-------.  1 root root  686  28 23:31 rules.conf
drwxr-xr-x.  2 root root    6  424  2023 rules.d
-rw-------.  1 root root 6418  424  2023 usbguard-daemon.conf
[root@lpic303-rocky34 usbguard]# 
[root@lpic303-rocky34 usbguard]# cat usbguard-daemon.conf
#
# Rule set file path.
#
# The USBGuard daemon will use this file to load the policy
# rule set from it and to write new rules received via the
# IPC interface.
#
# RuleFile=/path/to/rules.conf
#
RuleFile=/etc/usbguard/rules.conf

#
# Rule set folder path.
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface. Usually, we set the option to
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
# behave like any other standard Linux daemon therefore it
# loads rule files in alpha-numeric order. File names inside
# RuleFolder directory should start with a two-digit number
# prefix indicating the position, in which the rules are
# scanned by the daemon.
#
# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/

#
# Implicit policy target.
#
# How to treat devices that don't match any rule in the
# policy. One of:
#
# * allow  - authorize the device
# * block  - block the device
# * reject - remove the device
#
ImplicitPolicyTarget=block

#
# Present device policy.
#
# How to treat devices that are already connected when the
# daemon starts. One of:
#
# * allow        - authorize every present device
# * block        - deauthorize every present device
# * reject       - remove every present device
# * keep         - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
#                  device
#
PresentDevicePolicy=apply-policy

#
# Present controller policy.
#
# How to treat USB controllers that are already connected
# when the daemon starts. One of:
#
# * allow        - authorize every present device
# * block        - deauthorize every present device
# * reject       - remove every present device
# * keep         - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
#                  device
#
PresentControllerPolicy=keep

#
# Inserted device policy.
#
# How to treat USB devices that are already connected
# *after* the daemon starts. One of:
#
# * block        - deauthorize every present device
# * reject       - remove every present device
# * apply-policy - evaluate the ruleset for every present
#                  device
#
InsertedDevicePolicy=apply-policy

#
# Control which devices are authorized by default.
#
# The USBGuard daemon modifies some the default authorization state attributes
# of controller devices. This setting, enables you to define what value the
# default authorization is set to.
#
# * keep         - do not change the authorization state
# * none         - every new device starts out deauthorized
# * all          - every new device starts out authorized
# * internal     - internal devices start out authorized, external devices start
#                  out deauthorized (this requires the ACPI tables to properly
#                  label internal devices, and kernel support)
# #AuthorizedDefault =none

#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
# instances. Using this setting, you can control whether the
# daemon will try to restore the attribute values to the state
# before modification on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
# daemon (via a local exploit or via a USB device) to make it shutdown
# and restore to the operating-system default state (known to be permissive).
#
RestoreControllerDeviceState=false

#
# Device manager backend
#
# Which device manager backend implementation to use. One of:
#
# * uevent   - Netlink based implementation which uses sysfs to scan for present
#              devices and an uevent netlink socket for receiving USB device
#              related events.
# * umockdev - umockdev based device manager capable of simulating devices based
#              on umockdev-record files. Useful for testing.
#
DeviceManagerBackend=uevent

#!!! WARNING: It's good practice to set at least one of the !!!
#!!!          two options bellow. If none of them are set,  !!!
#!!!          the daemon will accept IPC connections from   !!!
#!!!          anyone, thus allowing anyone to modify the    !!!
#!!!          rule set and (de)authorize USB devices.       !!!

#
# Users allowed to use the IPC interface.
#
# A space delimited list of usernames that the daemon will
# accept IPC connections from.
#
# IPCAllowedUsers=username1 username2 ...
#
IPCAllowedUsers=root

#
# Groups allowed to use the IPC interface.
#
# A space delimited list of groupnames that the daemon will
# accept IPC connections from.
#
# IPCAllowedGroups=groupname1 groupname2 ...
#
IPCAllowedGroups=wheel

#
# IPC access control definition files path.
#
# The files at this location will be interpreted by the daemon
# as access control definition files. The (base)name of a file
# should be in the form:
#
#   [user][:<group>]
#
# and should contain lines in the form:
#
#   <section>=[privilege] ...
#
# This way each file defines who is able to connect to the IPC
# bus and what privileges he has.
#
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/

#
# Generate device specific rules including the "via-port"
# attribute.
#
# This option modifies the behavior of the allowDevice
# action. When instructed to generate a permanent rule,
# the action can generate a port specific rule. Because
# some systems have unstable port numbering, the generated
# rule might not match the device after rebooting the system.
#
# If set to false, the generated rule will still contain
# the "parent-hash" attribute which also defines an association
# to the parent device. See usbguard-rules.conf(5) for more
# details.
#
DeviceRulesWithPort=false

#
# USBGuard Audit events log backend
#
# One of:
#
# * FileAudit - Log audit events into a file specified by
#               AuditFilePath setting (see below)
# * LinuxAudit - Log audit events using the Linux Audit
#                subsystem (using audit_log_user_message)
#
AuditBackend=FileAudit

#
# USBGuard audit events log file path.
#
AuditFilePath=/var/log/usbguard/usbguard-audit.log

#
# Hides personally identifiable information such as device serial numbers and
# hashes of descriptors (which include the serial number) from audit entries.
# #HidePII =false
[root@lpic303-rocky34 usbguard]#



参考文献


この記事が気に入ったらサポートをしてみませんか?