Didn’t know this was a thing until like a week ago, it’s pretty nifty.
To start off with a preconfigured whitelist for existing devices, plug in all the devices you plan to use, not just thumbdrives.
]# usbguard generate-policy > rules.conf
(can’t be named grandpasunderwear.conf like some configs. This will whitelist all devices currently plugged in)
]# install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
]# systemctl start usbguard
And that’s basically it. Man, such complex.
To allow a device temporarily, for example to copy data to a mates stick once:
]# usbguard list-devices
…
13: allow id foo
14: allow id foo
15: block id 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” parent-hash “xxxxxxx” via-port “1-6” with-interface n:n:n
We see that the thumbdrive is device 15
]# usbguard allow-device 15
Now it will be allowed as long as it’s inserted, being device 15. If you replug it, the drive will be blocked (and any future device 15s)
To permanently whitelist a device, use a ‘-p’ flag
Allow a particular device only through specified port:
]# echo ‘allow 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” parent-hash “xxxxxxx” via-port “1-6” with-interface n:n:n’ >> /etch/usbguard/rules.conf
Allow particular device in any port:
]# echo 'allow 0951:1665 serial “xxxxxxx” name “DataTraveler 2.0” hash “xxxxxxx” >> /etch/usbguard/rules.conf
Don’t forget to reapply whenever rules are changed.
]# systemctl restart usbguard
One weird thing to note though, is if you play around with different rules, if a line in the conf file is uncommented (starts with #), usbguard fails to load the rules. Dunno why, but means you can’t have rules in place that are just disabled.
Also, apparently wildcards can only be added to specific attributes.
https://dkopecek.github.io/usbguard/
https://wiki.archlinux.org/index.php/USBGuard
