Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2026-01-08 23:21:00 -05:00
Code Issues Projects Releases Packages Wiki Activity

30_security-misc.conf

Browse source
This commit is contained in:
monsieuremre 2023-11-17 17:14:01 +00:00 committed by GitHub
parent 7d31e17fc5
commit 7c8b9b2946
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
etc/usbguard/rules.d/30_security-misc.conf Normal file
View file

@ -0,0 +1,18 @@
## Blacklisting is not the optimal approach to security. Normally all USB devices should be rejected (default) and only the devices you personally know and trust be whitelisted.
## If you can do this, it is recommended to do. For convenience for the majority, we do the following:
## Allow all USB devices with mass storage interface
allow with-interface equals { 08:*:* }
## Reject storage devices that also have extra suspicuous interfaces.
## Like a usb storage device that also tries to behave like a keyboard.
## This is a well known type of cyber attack.
reject with-interface all-of { 08:*:* 03:00:* }
reject with-interface all-of { 08:*:* 03:01:* }
reject with-interface all-of { 08:*:* e0:*:* }
reject with-interface all-of { 08:*:* 0a:*:* }
reject with-interface all-of { 08:*:* 02:*:* }
## We do not allow anything else. Keyboards, mice, and everything else, they will be rejected. The only exception is, if they were plugged in when the daemon starts.
## If you have your keyboard plugged in before booting, it will be allowed. If you plug after the fact, you have to manually allow the device or do a restart.