Return to Level1Techs.com

Usbguard: protect yourself or your clients from rogue usb devices

#1

Didn’t know this was a thing until like a week ago, it’s pretty nifty.

To start off with a preconfigured whitelist for existing devices, plug in all the devices you plan to use, not just thumbdrives.

]# usbguard generate-policy > rules.conf

(can’t be named grandpasunderwear.conf like some configs. This will whitelist all devices currently plugged in)

]# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
]# systemctl start usbguard

And that’s basically it. Man, such complex.
To allow a device temporarily, for example to copy data to a mates stick once:

]# usbguard list-devices


13: allow id foo
14: allow id foo
15: block id 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” parent-hash “xxxxxxx” via-port “1-6” with-interface n:n:n

We see that the thumbdrive is device 15

]# usbguard allow-device 15

Now it will be allowed as long as it’s inserted, being device 15. If you replug it, the drive will be blocked (and any future device 15s)

To permanently whitelist a device, use a ‘-p’ flag

Allow a particular device only through specified port:

]# echo ‘allow 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” parent-hash “xxxxxxx” via-port “1-6” with-interface n:n:n’ >> /etch/usbguard/rules.conf

Allow particular device in any port:

]# echo 'allow 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” >> /etch/usbguard/rules.conf

Don’t forget to reapply whenever rules are changed.

]# systemctl restart usbguard

One weird thing to note though, is if you play around with different rules, if a line in the conf file is uncommented (starts with #), usbguard fails to load the rules. Dunno why, but means you can’t have rules in place that are just disabled.
Also, apparently wildcards can only be added to specific attributes.

https://dkopecek.github.io/usbguard/


https://wiki.archlinux.org/index.php/USBGuard

7 Likes

I'm becoming paranoid about infected USB sticks on my work machine - what can i use to protect it?
Baz's lair of randomness and pure sadness
#2

this is very interesting. i can see this getting rolled into a DLP solution at some point. will give it a try.

0 Likes

#3

We’ve tried looking into this sort of solution for my work environment, but we’re all windows and so this kind of thing is a lot harder.
I may use this kind of tool for my homelab, however.

Looks like a really cool tool! :slight_smile:

1 Like

#4

What do you mean? It is a simple Group Policy Setting.

1 Like

#5

It doesn’t allow whitelisting as far as I know.
Most windows dlp solutions include this type of thing at least I know Symantec forcepoint and carbon black do

0 Likes

#6

I can whitelist devices by their ID. You just have to dig into the policies more. I use Nirsoft USBDEview to easily grab the IDs. I am on an Active Directory domain so it makes it easy to push the GPO out to the needed users or systems.

1 Like

#7

Well now, I feel stupid haha

Thank you for directing me in that direction.

0 Likes