Appendix USBGuard
環境
RockyLinux 9
Ubuntu 22.04
usbguard 1.0.0
RockyLinux 9
インストールするパッケージは "usbguard"
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dnf install usbguard
[root@lpic303-rocky34 ~]#
"usbguard" のサービスが起動していないと `usbguard` コマンドが使えない
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# systemctl is-enabled usbguard.service
disabled
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# systemctl start usbguard.service
[root@lpic303-rocky34 ~]#
`usbguard` コマンドのヘルプ
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard
Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ...
Options:
Commands:
get-parameter <name> Get the value of a runtime parameter.
set-parameter <name> <value> Set the value of a runtime parameter.
list-devices List all USB devices recognized by the USBGuard daemon.
allow-device <id|rule|p-rule> Authorize a device to interact with the system.
block-device <id|rule|p-rule> Deauthorize a device.
reject-device <id|rule|p-rule> Deauthorize and remove a device from the system.
list-rules List the rule set (policy) used by the USBGuard daemon.
append-rule <rule> Append a rule to the rule set.
remove-rule <id> Remove a rule from the rule set.
generate-policy Generate a rule set (policy) based on the connected USB devices.
watch Watch for IPC interface events and print them to stdout.
read-descriptor Read a USB descriptor from a file and print it in human-readable form.
add-user <name> Add USBGuard IPC user/group (requires root privilges)
remove-user <name> Remove USBGuard IPC user/group (requires root privileges)
[root@lpic303-rocky34 ~]#
`lsusb` コマンドと `usbguard` コマンドの違い
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
[root@lpic303-rocky34 ~]#
Ubuntu22.04
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# apt install usbguard
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# systemctl is-enabled usbguard.service
enabled
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# usbguard
Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ...
Options:
Commands:
get-parameter <name> Get the value of a runtime parameter.
set-parameter <name> <value> Set the value of a runtime parameter.
list-devices List all USB devices recognized by the USBGuard daemon.
allow-device <id|rule|p-rule> Authorize a device to interact with the system.
block-device <id|rule|p-rule> Deauthorize a device.
reject-device <id|rule|p-rule> Deauthorize and remove a device from the system.
list-rules List the rule set (policy) used by the USBGuard daemon.
append-rule <rule> Append a rule to the rule set.
remove-rule <id> Remove a rule from the rule set.
generate-policy Generate a rule set (policy) based on the connected USB devices.
watch Watch for IPC interface events and print them to stdout.
read-descriptor Read a USB descriptor from a file and print it in human-readable form.
add-user <name> Add USBGuard IPC user/group (requires root privilges)
remove-user <name> Remove USBGuard IPC user/group (requires root privileges)
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
root@lpic303-ubuntu35:~#
root@lpic303-ubuntu35:~# usbguard list-devices
4: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
5: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
6: allow id 80ee:0021 serial "" name "USB Tablet" hash "8S88DbsXkyb93aEG099kxcbjrHSGfpZEJ8W0048wl1A=" parent-hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" via-port "2-1" with-interface 03:00:00 with-connect-type "unknown"
root@lpic303-ubuntu35:~#
実行例
以下の実行例では、256MBの古いUSBメモリを接続したときの様子。
USBメモリを接続し `lsusb` コマンドで接続されていることが確認できる(1行目の "ID 0ea0:2168" )。
しかし、`fdisk` コマンドではそれらしいデバイスは表示されない。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# lsusb
Bus 002 Device 002: ID 0ea0:2168 Ours Technology, Inc. Transcend JetFlash 2.0 / Astone USB Drive / Intellegent Stick 2.0
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# fdisk -l | grep "^Disk /dev"
Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/sdc: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/mapper/rl-root: 45.04 GiB, 48364519424 bytes, 94461952 sectors
Disk /dev/mapper/rl-swap: 3.95 GiB, 4244635648 bytes, 8290304 sectors
[root@lpic303-rocky34 ~]#
`dmesg` コマンドで確認すると ”Device is not authorized for usage” と表示されており、`usbguard list-devices` コマンドで "blocked" となっている。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# dmesg
:
[ 3325.565935] usb 2-1: New USB device found, idVendor=0ea0, idProduct=2168, bcdDevice= 2.00
[ 3325.565941] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 3325.565943] usb 2-1: Product: Flash Disk
[ 3325.565945] usb 2-1: Manufacturer: USB
[ 3325.565947] usb 2-1: SerialNumber: 230760A43EE81145
[ 3325.572907] usb 2-1: Device is not authorized for usage
:
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
allow-device サブコマンド
`allow-device` サブコマンドでブロックされているUSBメモリメモリを有効化してみる
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard allow-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
`dmesg` コマンドでも接続されたことが確認できる
[root@lpic303-rocky34 ~]# dmesg
:
[ 4123.812653] usb 2-1: authorized to connect
[ 4123.828334] usb-storage 2-1:1.0: USB Mass Storage device detected
[ 4123.829749] scsi host5: usb-storage 2-1:1.0
[ 4123.830030] usbcore: registered new interface driver usb-storage
[ 4123.836720] usbcore: registered new interface driver uas
[ 4124.845908] scsi 5:0:0:0: Direct-Access BUFFALO ClipDrive 2.00 PQ: 0 ANSI: 2
[ 4124.846427] sd 5:0:0:0: Attached scsi generic sg4 type 0
[ 4124.979150] sd 5:0:0:0: [sdd] 512000 512-byte logical blocks: (262 MB/250 MiB)
[ 4124.990803] sd 5:0:0:0: [sdd] Write Protect is off
[ 4124.990809] sd 5:0:0:0: [sdd] Mode Sense: 03 00 00 00
[ 4125.001756] sd 5:0:0:0: [sdd] No Caching mode page found
[ 4125.001762] sd 5:0:0:0: [sdd] Assuming drive cache: write through
[ 4125.079295] sdd: sdd1
[ 4125.079473] sd 5:0:0:0: [sdd] Attached SCSI removable disk
:
[root@lpic303-rocky34 ~]#
`fdisk` コマンドでも確認できる
最後の行 "Disk /dev/sdd: 250 MiB ~" が接続したUSBメモリ
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# fdisk -l | grep "^Disk /dev"
Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/sdc: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/mapper/rl-root: 45.04 GiB, 48364519424 bytes, 94461952 sectors
Disk /dev/mapper/rl-swap: 3.95 GiB, 4244635648 bytes, 8290304 sectors
Disk /dev/sdd: 250 MiB, 262144000 bytes, 512000 sectors
[root@lpic303-rocky34 ~]#
block-device サブコマンド
`block-device` コマンドでブロックしてみると、`fdisk`コマンドでも表示されなくなった。
このあとUSBメモリを抜き差ししても`fdisk`コマンドでも表示されることはなかった。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard block-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
3: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# fdisk -l | grep "^Disk /dev"
Disk /dev/sda: 50 GiB, 53687091200 bytes, 104857600 sectors
Disk /dev/sdb: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/sdc: 1 GiB, 1073741824 bytes, 2097152 sectors
Disk /dev/mapper/rl-root: 45.04 GiB, 48364519424 bytes, 94461952 sectors
Disk /dev/mapper/rl-swap: 3.95 GiB, 4244635648 bytes, 8290304 sectors
[root@lpic303-rocky34 ~]#
reject-device サブコマンド
ちなみに、`usbguard reject-device` コマンドだと、接続されているUSBメモリに対してブロックに変更して、USBメモリデバイスの接続を解除するまでやってくれる。
★USBメモリがブロックされている状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
5: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
★USBメモリのブロックを解除した状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard allow-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
5: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
★USBメモリを `reject-device` した状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard reject-device 0ea0:2168
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
[root@lpic303-rocky34 ~]#
★USBメモリを再接続したが、ブロックされている状態★
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-devices
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" via-port "usb1" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" via-port "usb2" with-interface 09:00:00 with-connect-type ""
6: block id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" via-port "2-1" with-interface 08:06:50 with-connect-type ""
[root@lpic303-rocky34 ~]#
generate-policy サブコマンド
`generate-policy` サブコマンドでポリシーを作成することもできる。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard generate-policy > rules.conf
[root@lpic303-rocky34 ~]# cat rules.conf
allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" with-interface 09:00:00 with-connect-type ""
allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" with-interface 08:06:50 with-connect-type "unknown"
[root@lpic303-rocky34 ~]#
作成したポリシーは `install ` コマンドで "/etc/usbguard/rules.conf" に配置し、"usbguard" サービスを再起動すると読み込まれる。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# systemctl restart usbguard
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cat /etc/usbguard/rules.conf
allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" with-interface 09:00:00 with-connect-type ""
allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" with-interface 08:06:50 with-connect-type "unknown"
[root@lpic303-rocky34 ~]#
list-lures サブコマンド
"usbguard" サービスが実行している今現在のルールは `list-lures` サブコマンドで確認できる。
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# usbguard list-rules
1: allow id 1d6b:0001 serial "0000:00:06.0" name "OHCI PCI host controller" hash "lUN32sIeMBBlD8Pd82mxu95iCTw8oKlT8iZDeg628/o=" parent-hash "XokStAV3JXWqQkW0l6YD7ZPFcHse1OtwuGmVNBCe46E=" with-interface 09:00:00 with-connect-type ""
2: allow id 1d6b:0002 serial "0000:00:0b.0" name "EHCI Host Controller" hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" parent-hash "BfFg9THiKJIvTnHGCjHfrWc00WcrIzhayJ9C3BiPYho=" with-interface 09:00:00 with-connect-type ""
3: allow id 0ea0:2168 serial "230760A43EE81145" name "Flash Disk " hash "IfsX7zc+JwpTRkyLgCmvWbSfbKjZs564qhqHFfE+6zI=" parent-hash "SEiVqUWwefEKDMN9OJUyXkFIvvFPJmvPTRKIlVCvlvE=" with-interface 08:06:50 with-connect-type "unknown"
[root@lpic303-rocky34 ~]#
設定ファイル
[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /etc/usbguard/
[root@lpic303-rocky34 usbguard]#
[root@lpic303-rocky34 usbguard]# ls -la
合計 24
drwxr-xr-x. 4 root root 93 2月 8 23:31 .
drwxr-xr-x. 89 root root 8192 2月 10 23:00 ..
drwxr-xr-x. 2 root root 6 4月 24 2023 IPCAccessControl.d
-rw-------. 1 root root 686 2月 8 23:31 rules.conf
drwxr-xr-x. 2 root root 6 4月 24 2023 rules.d
-rw-------. 1 root root 6418 4月 24 2023 usbguard-daemon.conf
[root@lpic303-rocky34 usbguard]#
[root@lpic303-rocky34 usbguard]# cat usbguard-daemon.conf
#
# Rule set file path.
#
# The USBGuard daemon will use this file to load the policy
# rule set from it and to write new rules received via the
# IPC interface.
#
# RuleFile=/path/to/rules.conf
#
RuleFile=/etc/usbguard/rules.conf
#
# Rule set folder path.
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface. Usually, we set the option to
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
# behave like any other standard Linux daemon therefore it
# loads rule files in alpha-numeric order. File names inside
# RuleFolder directory should start with a two-digit number
# prefix indicating the position, in which the rules are
# scanned by the daemon.
#
# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/
#
# Implicit policy target.
#
# How to treat devices that don't match any rule in the
# policy. One of:
#
# * allow - authorize the device
# * block - block the device
# * reject - remove the device
#
ImplicitPolicyTarget=block
#
# Present device policy.
#
# How to treat devices that are already connected when the
# daemon starts. One of:
#
# * allow - authorize every present device
# * block - deauthorize every present device
# * reject - remove every present device
# * keep - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
# device
#
PresentDevicePolicy=apply-policy
#
# Present controller policy.
#
# How to treat USB controllers that are already connected
# when the daemon starts. One of:
#
# * allow - authorize every present device
# * block - deauthorize every present device
# * reject - remove every present device
# * keep - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
# device
#
PresentControllerPolicy=keep
#
# Inserted device policy.
#
# How to treat USB devices that are already connected
# *after* the daemon starts. One of:
#
# * block - deauthorize every present device
# * reject - remove every present device
# * apply-policy - evaluate the ruleset for every present
# device
#
InsertedDevicePolicy=apply-policy
#
# Control which devices are authorized by default.
#
# The USBGuard daemon modifies some the default authorization state attributes
# of controller devices. This setting, enables you to define what value the
# default authorization is set to.
#
# * keep - do not change the authorization state
# * none - every new device starts out deauthorized
# * all - every new device starts out authorized
# * internal - internal devices start out authorized, external devices start
# out deauthorized (this requires the ACPI tables to properly
# label internal devices, and kernel support)
# #AuthorizedDefault =none
#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
# instances. Using this setting, you can control whether the
# daemon will try to restore the attribute values to the state
# before modification on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
# daemon (via a local exploit or via a USB device) to make it shutdown
# and restore to the operating-system default state (known to be permissive).
#
RestoreControllerDeviceState=false
#
# Device manager backend
#
# Which device manager backend implementation to use. One of:
#
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * umockdev - umockdev based device manager capable of simulating devices based
# on umockdev-record files. Useful for testing.
#
DeviceManagerBackend=uevent
#!!! WARNING: It's good practice to set at least one of the !!!
#!!! two options bellow. If none of them are set, !!!
#!!! the daemon will accept IPC connections from !!!
#!!! anyone, thus allowing anyone to modify the !!!
#!!! rule set and (de)authorize USB devices. !!!
#
# Users allowed to use the IPC interface.
#
# A space delimited list of usernames that the daemon will
# accept IPC connections from.
#
# IPCAllowedUsers=username1 username2 ...
#
IPCAllowedUsers=root
#
# Groups allowed to use the IPC interface.
#
# A space delimited list of groupnames that the daemon will
# accept IPC connections from.
#
# IPCAllowedGroups=groupname1 groupname2 ...
#
IPCAllowedGroups=wheel
#
# IPC access control definition files path.
#
# The files at this location will be interpreted by the daemon
# as access control definition files. The (base)name of a file
# should be in the form:
#
# [user][:<group>]
#
# and should contain lines in the form:
#
# <section>=[privilege] ...
#
# This way each file defines who is able to connect to the IPC
# bus and what privileges he has.
#
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
#
# Generate device specific rules including the "via-port"
# attribute.
#
# This option modifies the behavior of the allowDevice
# action. When instructed to generate a permanent rule,
# the action can generate a port specific rule. Because
# some systems have unstable port numbering, the generated
# rule might not match the device after rebooting the system.
#
# If set to false, the generated rule will still contain
# the "parent-hash" attribute which also defines an association
# to the parent device. See usbguard-rules.conf(5) for more
# details.
#
DeviceRulesWithPort=false
#
# USBGuard Audit events log backend
#
# One of:
#
# * FileAudit - Log audit events into a file specified by
# AuditFilePath setting (see below)
# * LinuxAudit - Log audit events using the Linux Audit
# subsystem (using audit_log_user_message)
#
AuditBackend=FileAudit
#
# USBGuard audit events log file path.
#
AuditFilePath=/var/log/usbguard/usbguard-audit.log
#
# Hides personally identifiable information such as device serial numbers and
# hashes of descriptors (which include the serial number) from audit entries.
# #HidePII =false
[root@lpic303-rocky34 usbguard]#
参考文献
この記事が気に入ったらサポートをしてみませんか?