From 7d31e17fc5a8fe3055568c1a0f541dea064f30a0 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:02:41 +0000 Subject: [PATCH 1/3] usbguard --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index 9a57d45..4c40b96 100644 --- a/debian/control +++ b/debian/control @@ -30,6 +30,7 @@ Depends: adduser, python3, secure-delete, sudo, + usbguard, ${misc:Depends} Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable Description: Enhances Miscellaneous Security Settings From 7c8b9b294678056d684fd3dc22f012d75da40426 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:14:01 +0000 Subject: [PATCH 2/3] 30_security-misc.conf --- etc/usbguard/rules.d/30_security-misc.conf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 etc/usbguard/rules.d/30_security-misc.conf diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf new file mode 100644 index 0000000..a93e29e --- /dev/null +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -0,0 +1,18 @@ +## Blacklisting is not the optimal approach to security. Normally all USB devices should be rejected (default) and only the devices you personally know and trust be whitelisted. +## If you can do this, it is recommended to do. For convenience for the majority, we do the following: + +## Allow all USB devices with mass storage interface +allow with-interface equals { 08:*:* } + +## Reject storage devices that also have extra suspicuous interfaces. +## Like a usb storage device that also tries to behave like a keyboard. +## This is a well known type of cyber attack. + +reject with-interface all-of { 08:*:* 03:00:* } +reject with-interface all-of { 08:*:* 03:01:* } +reject with-interface all-of { 08:*:* e0:*:* } +reject with-interface all-of { 08:*:* 0a:*:* } +reject with-interface all-of { 08:*:* 02:*:* } + +## We do not allow anything else. Keyboards, mice, and everything else, they will be rejected. The only exception is, if they were plugged in when the daemon starts. +## If you have your keyboard plugged in before booting, it will be allowed. If you plug after the fact, you have to manually allow the device or do a restart. From 4cae74d610ad37066e8a334019cfa5c82f088a2e Mon Sep 17 00:00:00 2001 From: monsieuremre Date: Sun, 21 Jul 2024 11:19:32 +0200 Subject: [PATCH 3/3] Update 30_security-misc.conf --- etc/usbguard/rules.d/30_security-misc.conf | 58 ++++++++++++++++------ 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf index a93e29e..fd2bce9 100644 --- a/etc/usbguard/rules.d/30_security-misc.conf +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -1,18 +1,46 @@ -## Blacklisting is not the optimal approach to security. Normally all USB devices should be rejected (default) and only the devices you personally know and trust be whitelisted. -## If you can do this, it is recommended to do. For convenience for the majority, we do the following: +# We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this. -## Allow all USB devices with mass storage interface +# Explicitly reject any interface that is not documented and/or defined by USB.org +# Note: Most probably superfluous +reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*} + +### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon. +### Take extra measures to ensure security + +# Allow only one keyboard to be connected +allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 }) + +# Allow only one mouse to be connected +allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 }) + +# Explicitly reject any device with a mouse/keyboard interface in combination with some other interface +# Mouses and keyboards should only have one interface for all legitimate use cases +reject with-interface all-of { 03:*:* 02:*:* } +reject with-interface all-of { 03:*:* 04:*:* } +reject with-interface all-of { 03:*:* 05:*:* } +reject with-interface all-of { 03:*:* 06:*:* } +reject with-interface all-of { 03:*:* 07:*:* } +reject with-interface all-of { 03:*:* 08:*:* } +reject with-interface all-of { 03:*:* 09:*:* } +reject with-interface all-of { 03:*:* 0a:*:* } +reject with-interface all-of { 03:*:* 0b:*:* } +reject with-interface all-of { 03:*:* 0d:*:* } +reject with-interface all-of { 03:*:* 0e:*:* } +reject with-interface all-of { 03:*:* 0f:*:* } +reject with-interface all-of { 03:*:* 10:*:* } +reject with-interface all-of { 03:*:* 11:*:* } +reject with-interface all-of { 03:*:* 12:*:* } +reject with-interface all-of { 03:*:* 13:*:* } +reject with-interface all-of { 03:*:* 14:*:* } +reject with-interface all-of { 03:*:* 3c:*:* } +reject with-interface all-of { 03:*:* dc:*:* } +reject with-interface all-of { 03:*:* e0:*:* } +reject with-interface all-of { 03:*:* ef:*:* } +reject with-interface all-of { 03:*:* fe:*:* } +reject with-interface all-of { 03:*:* ff:*:* } + +# Allow USB mass storage +# If and only if the USB device only has the mass storage interface and nothing extra +# Suspicious interface combinations with mass storage are blocked allow with-interface equals { 08:*:* } -## Reject storage devices that also have extra suspicuous interfaces. -## Like a usb storage device that also tries to behave like a keyboard. -## This is a well known type of cyber attack. - -reject with-interface all-of { 08:*:* 03:00:* } -reject with-interface all-of { 08:*:* 03:01:* } -reject with-interface all-of { 08:*:* e0:*:* } -reject with-interface all-of { 08:*:* 0a:*:* } -reject with-interface all-of { 08:*:* 02:*:* } - -## We do not allow anything else. Keyboards, mice, and everything else, they will be rejected. The only exception is, if they were plugged in when the daemon starts. -## If you have your keyboard plugged in before booting, it will be allowed. If you plug after the fact, you have to manually allow the device or do a restart.