Merge 4cae74d610ad37066e8a334019cfa5c82f088a2e into d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb

2025-04-15 04:02:59 -04:00 · 2025-03-04 23:06:42 +02:00 · 2025-03-04 23:06:42 +02:00 · 5e984a3481
commit 5e984a3481
parent d927fe238c 4cae74d610
2 changed files with 47 additions and 0 deletions
--- a/debian/control
+++ b/debian/control
@ -30,6 +30,7 @@ Depends: adduser,
         python3,
         secure-delete,
         sudo,
+         usbguard,
         ${misc:Depends}
 Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable
 Description: Enhances Miscellaneous Security Settings
--- a/etc/usbguard/rules.d/30_security-misc.conf
+++ b/etc/usbguard/rules.d/30_security-misc.conf
@ -0,0 +1,46 @@
+# We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this.
+
+# Explicitly reject any interface that is not documented and/or defined by USB.org
+# Note: Most probably superfluous
+reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*}
+
+### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon.
+### Take extra measures to ensure security
+
+# Allow only one keyboard to be connected
+allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })
+
+# Allow only one mouse to be connected
+allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 })
+
+# Explicitly reject any device with a mouse/keyboard interface in combination with some other interface
+# Mouses and keyboards should only have one interface for all legitimate use cases
+reject with-interface all-of { 03:*:* 02:*:* }
+reject with-interface all-of { 03:*:* 04:*:* }
+reject with-interface all-of { 03:*:* 05:*:* }
+reject with-interface all-of { 03:*:* 06:*:* }
+reject with-interface all-of { 03:*:* 07:*:* }
+reject with-interface all-of { 03:*:* 08:*:* }
+reject with-interface all-of { 03:*:* 09:*:* }
+reject with-interface all-of { 03:*:* 0a:*:* }
+reject with-interface all-of { 03:*:* 0b:*:* }
+reject with-interface all-of { 03:*:* 0d:*:* }
+reject with-interface all-of { 03:*:* 0e:*:* }
+reject with-interface all-of { 03:*:* 0f:*:* }
+reject with-interface all-of { 03:*:* 10:*:* }
+reject with-interface all-of { 03:*:* 11:*:* }
+reject with-interface all-of { 03:*:* 12:*:* }
+reject with-interface all-of { 03:*:* 13:*:* }
+reject with-interface all-of { 03:*:* 14:*:* }
+reject with-interface all-of { 03:*:* 3c:*:* }
+reject with-interface all-of { 03:*:* dc:*:* }
+reject with-interface all-of { 03:*:* e0:*:* }
+reject with-interface all-of { 03:*:* ef:*:* }
+reject with-interface all-of { 03:*:* fe:*:* }
+reject with-interface all-of { 03:*:* ff:*:* }
+
+# Allow USB mass storage
+# If and only if the USB device only has the mass storage interface and nothing extra
+# Suspicious interface combinations with mass storage are blocked
+allow with-interface equals { 08:*:* }
+