Update 30_security-misc.conf

2025-04-20 21:06:31 -04:00 · 2024-07-21 11:19:32 +02:00 · 2024-07-21 11:19:32 +02:00 · 4cae74d610
commit 4cae74d610
parent 7c8b9b2946
1 changed files with 43 additions and 15 deletions
--- a/etc/usbguard/rules.d/30_security-misc.conf
+++ b/etc/usbguard/rules.d/30_security-misc.conf
@ -1,18 +1,46 @@
-## Blacklisting is not the optimal approach to security. Normally all USB devices should be rejected (default) and only the devices you personally know and trust be whitelisted.
-## If you can do this, it is recommended to do. For convenience for the majority, we do the following:
+# We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this.

-## Allow all USB devices with mass storage interface
+# Explicitly reject any interface that is not documented and/or defined by USB.org
+# Note: Most probably superfluous
+reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*}
+
+### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon.
+### Take extra measures to ensure security
+
+# Allow only one keyboard to be connected
+allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })
+
+# Allow only one mouse to be connected
+allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 })
+
+# Explicitly reject any device with a mouse/keyboard interface in combination with some other interface
+# Mouses and keyboards should only have one interface for all legitimate use cases
+reject with-interface all-of { 03:*:* 02:*:* }
+reject with-interface all-of { 03:*:* 04:*:* }
+reject with-interface all-of { 03:*:* 05:*:* }
+reject with-interface all-of { 03:*:* 06:*:* }
+reject with-interface all-of { 03:*:* 07:*:* }
+reject with-interface all-of { 03:*:* 08:*:* }
+reject with-interface all-of { 03:*:* 09:*:* }
+reject with-interface all-of { 03:*:* 0a:*:* }
+reject with-interface all-of { 03:*:* 0b:*:* }
+reject with-interface all-of { 03:*:* 0d:*:* }
+reject with-interface all-of { 03:*:* 0e:*:* }
+reject with-interface all-of { 03:*:* 0f:*:* }
+reject with-interface all-of { 03:*:* 10:*:* }
+reject with-interface all-of { 03:*:* 11:*:* }
+reject with-interface all-of { 03:*:* 12:*:* }
+reject with-interface all-of { 03:*:* 13:*:* }
+reject with-interface all-of { 03:*:* 14:*:* }
+reject with-interface all-of { 03:*:* 3c:*:* }
+reject with-interface all-of { 03:*:* dc:*:* }
+reject with-interface all-of { 03:*:* e0:*:* }
+reject with-interface all-of { 03:*:* ef:*:* }
+reject with-interface all-of { 03:*:* fe:*:* }
+reject with-interface all-of { 03:*:* ff:*:* }
+
+# Allow USB mass storage
+# If and only if the USB device only has the mass storage interface and nothing extra
+# Suspicious interface combinations with mass storage are blocked
 allow with-interface equals { 08:*:* }

-## Reject storage devices that also have extra suspicuous interfaces.
-## Like a usb storage device that also tries to behave like a keyboard.
-## This is a well known type of cyber attack.
-
-reject with-interface all-of { 08:*:* 03:00:* }
-reject with-interface all-of { 08:*:* 03:01:* }
-reject with-interface all-of { 08:*:* e0:*:* }
-reject with-interface all-of { 08:*:* 0a:*:* }
-reject with-interface all-of { 08:*:* 02:*:* }
-
-## We do not allow anything else. Keyboards, mice, and everything else, they will be rejected. The only exception is, if they were plugged in when the daemon starts.
-## If you have your keyboard plugged in before booting, it will be allowed. If you plug after the fact, you have to manually allow the device or do a restart.