diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 78257f6..1bf6120 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -3,3 +3,4 @@ /etc/securetty.security-misc /etc/security/faillock.conf.security-misc +/etc/usbguard/usbguard-daemon.conf.security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index e31a397..fbed2ab 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -95,6 +95,9 @@ case "$1" in if test -f /etc/usbguard/rules.d/30_security-misc.conf; then chmod 0600 /etc/usbguard/rules.d/30_security-misc.conf || true fi + if test -f /etc/usbguard/usbguard-daemon.conf.security-misc; then + chmod 0600 /etc/usbguard/usbguard-daemon.conf.security-misc || true + fi ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 79b5ed6..9c5c380 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -308,3 +308,15 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://github.com/Kicksecure/security-misc/issues/298 ## #install vivid /usr/bin/disabled-miscellaneous-by-security-misc + +## RNDIS: +## Disable the RNDIS drivers used by some network devices (common with Android +## USB tethering). RNDIS as a protocol is believed to have supposedly +## unfixable buffer overflow issues and may be impossible to implement in a +## secure fashion. +## +## https://lkml.org/lkml/2022/11/23/728 +## https://lore.kernel.org/lkml/2023071333-wildly-playroom-878b@gregkh/ +## +install rndis_host /usr/bin/disabled-miscellaneous-by-security-misc +install usb_f_rndis /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf index 9b63314..05e5032 100644 --- a/etc/usbguard/rules.d/30_security-misc.conf +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -19,6 +19,15 @@ allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equa ## and keyboards. Also note, all HID devices other than mice and keyboards ## will be blocked, **including touchscreens.** +## Allow USB audio devices. The intended functionality of these devices is +## unlikely to be usable in a malicious capacity without having already +## compromised the machine. +allow with-interface equals { 01:*:* } + +## Allow USB video devices (i.e. webcams). Also tricky to use in a malicious +## manner without having already compromised the machine. +allow with-interface equals { 0e:*:* } + ## Explicitly reject any device with a mouse/keyboard interface in ## combination with some other interface. ## Mice and keyboards should likely never have non-HID interfaces provided @@ -48,6 +57,10 @@ reject with-interface all-of { 03:*:* ef:*:* } reject with-interface all-of { 03:*:* fe:*:* } reject with-interface all-of { 03:*:* ff:*:* } +## Explicitly reject any device with an RNDIS interface. RNDIS is believed to +## have protocol-level buffer overflow vulnerabilities that cannot be fixed. +reject with-interface one-of { ef:04:* } + ## Allow USB mass storage, if and only if the USB device only has the mass ## storage interface and nothing extra. ## Suspicious interface combinations with mass storage are blocked. diff --git a/etc/usbguard/usbguard-daemon.conf.security-misc b/etc/usbguard/usbguard-daemon.conf.security-misc new file mode 100644 index 0000000..2037b7d --- /dev/null +++ b/etc/usbguard/usbguard-daemon.conf.security-misc @@ -0,0 +1,218 @@ +# +# Rule set file path. +# +# The USBGuard daemon will use this file to load the policy +# rule set from it and to write new rules received via the +# IPC interface. +# +# RuleFile=/path/to/rules.conf +# +RuleFile=/etc/usbguard/rules.conf + +# +# Rule set folder path. +# +# The USBGuard daemon will use this folder to load the policy +# rule set from it and to write new rules received via the +# IPC interface. Usually, we set the option to +# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to +# behave like any other standard Linux daemon therefore it +# loads rule files in alpha-numeric order. File names inside +# RuleFolder directory should start with a two-digit number +# prefix indicating the position, in which the rules are +# scanned by the daemon. +# +# RuleFolder=/path/to/rulesfolder/ +# +RuleFolder=/etc/usbguard/rules.d/ + + + +# +# Implicit policy target. +# +# How to treat devices that don't match any rule in the +# policy. One of: +# +# * allow - authorize the device +# * block - block the device +# * reject - remove the device +# +ImplicitPolicyTarget=block + +# +# Present device policy. +# +# How to treat devices that are already connected when the +# daemon starts. One of: +# +# * allow - authorize every present device +# * block - deauthorize every present device +# * reject - remove every present device +# * keep - just sync the internal state and leave it +# * apply-policy - evaluate the ruleset for every present +# device +# +# Overridden by Kicksecure to allow all devices that are connected at startup. +# +PresentDevicePolicy=allow + +# +# Present controller policy. +# +# How to treat USB controllers that are already connected +# when the daemon starts. One of: +# +# * allow - authorize every present device +# * block - deauthorize every present device +# * reject - remove every present device +# * keep - just sync the internal state and leave it +# * apply-policy - evaluate the ruleset for every present +# device +# +PresentControllerPolicy=keep + +# +# Inserted device policy. +# +# How to treat USB devices that are already connected +# *after* the daemon starts. One of: +# +# * block - deauthorize every present device +# * reject - remove every present device +# * apply-policy - evaluate the ruleset for every present +# device +# +InsertedDevicePolicy=apply-policy + +# +# Control which devices are authorized by default. +# +# The USBGuard daemon modifies some the default authorization state attributes +# of controller devices. This setting, enables you to define what value the +# default authorization is set to. +# +# * keep - do not change the authorization state +# * none - every new device starts out deauthorized +# * all - every new device starts out authorized +# * internal - internal devices start out authorized, external devices start +# out deauthorized (this requires the ACPI tables to properly +# label internal devices, and kernel support) +# +AuthorizedDefault=none + +# +# Restore controller device state. +# +# The USBGuard daemon modifies some attributes of controller +# devices like the default authorization state of new child device +# instances. Using this setting, you can control whether the +# daemon will try to restore the attribute values to the state +# before modification on shutdown. +# +# SECURITY CONSIDERATIONS: If set to true, the USB authorization +# policy could be bypassed by performing some sort of attack on the +# daemon (via a local exploit or via a USB device) to make it shutdown +# and restore to the operating-system default state (known to be permissive). +# +RestoreControllerDeviceState=false + +# +# Device manager backend +# +# Which device manager backend implementation to use. One of: +# +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * umockdev - umockdev based device manager capable of simulating devices based +# on umockdev-record files. Useful for testing. +# +DeviceManagerBackend=uevent + +#!!! WARNING: It's good practice to set at least one of the !!! +#!!! two options below. If none of them are set, !!! +#!!! the daemon will accept IPC connections from !!! +#!!! anyone, thus allowing anyone to modify the !!! +#!!! rule set and (de)authorize USB devices. !!! + +# +# Users allowed to use the IPC interface. +# +# A space delimited list of usernames that the daemon will +# accept IPC connections from. +# +# IPCAllowedUsers=username1 username2 ... +# +IPCAllowedUsers=root + +# +# Groups allowed to use the IPC interface. +# +# A space delimited list of groupnames that the daemon will +# accept IPC connections from. +# +# IPCAllowedGroups=groupname1 groupname2 ... +# +IPCAllowedGroups=root plugdev + +# +# IPC access control definition files path. +# +# The files at this location will be interpreted by the USBGuard +# daemon as access control definition files for the IPC interface. +# The (base)name of a file should be in the form: +# +# [user][:] +# +# where user is either username or UID and group is either groupname or GID. +# IPC access control files should contain lines in the form: +# +#
=[privilege1][,privilege2] ... +# +# This way each file defines who is able to connect to the IPC +# bus and what privileges he has. Note that the IPC access control +# files need to have file permissions set to 0600. +# +IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ + +# +# Generate device specific rules including the "via-port" +# attribute. +# +# This option modifies the behavior of the allowDevice +# action. When instructed to generate a permanent rule, +# the action can generate a port specific rule. Because +# some systems have unstable port numbering, the generated +# rule might not match the device after rebooting the system. +# +# If set to false, the generated rule will still contain +# the "parent-hash" attribute which also defines an association +# to the parent device. See usbguard-rules.conf(5) for more +# details. +# +DeviceRulesWithPort=false + +# +# USBGuard Audit events log backend +# +# One of: +# +# * FileAudit - Log audit events into a file specified by +# AuditFilePath setting (see below) +# * LinuxAudit - Log audit events using the Linux Audit +# subsystem (using audit_log_user_message) +# +AuditBackend=FileAudit + +# +# USBGuard audit events log file path. +# +AuditFilePath=/var/log/usbguard/usbguard-audit.log + +# +# Hides personally identifiable information such as device serial numbers and +# hashes of descriptors (which include the serial number) from audit entries. +# +HidePII=false +