I'm becoming paranoid about infected USB sticks on my work machine - what can i use to protect it?

Baz · November 13, 2017, 7:36pm

Windows group policy link also in the comments:

Usbguard: protect yourself or your clients from rogue usb devices Linux

Didn’t know this was a thing until like a week ago, it’s pretty nifty. To start off with a preconfigured whitelist for existing devices, plug in all the devices you plan to use, not just thumbdrives. ]# usbguard generate-policy > rules.conf (can’t be named grandpasunderwear.conf like some configs. This will whitelist all devices currently plugged in) ]# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf ]# systemctl start usbguard And that’s basically it. Man, such complex. To allow a device temporarily, for example to copy data to a mates stick once: ]# usbguard list-devices … 13: allow id foo 14: allow id foo 15: block id 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” parent-hash “xxxxxxx” via-port “1-6” with-interface n:n:n We see that the thumbdrive is device 15 ]# usbguard allow-device 15 Now it will be allowed as long as it’s inserted, being device 15. If you replug it, the drive will be blocked (and any future device 15s) To permanently whitelist a device, just add an allow rule taken from the ‘list-devices’ command Allow a particular device only through specified port: ]# echo ‘allow 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” parent-hash “xxxxxxx” via-port “1-6” with-interface n:n:n’ >> /etch/usbguard/rules.conf Allow particular device in any port: ]# echo 'allow 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” >> /etch/usbguard/rules.conf Don’t forget to reapply whenever rules are changed. ]# systemctl restart usbguard One weird thing to note though, is if you play around with different rules, if a line in the conf file is uncommented (starts with #), usbguard fails to load the rules. Dunno why, but means you can’t have rules in place that are just disabled. Also, apparently wildcards can only be added to specific attributes. https://dkopecek.github.io/usbguard/ https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Sec…