Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-26 09:37:25 -05:00
Code Issues Projects Releases Packages Wiki Activity

Polish USBGuard configuration

Browse source
This commit is contained in:
Aaron Rainbolt 2025-08-15 17:16:42 -05:00
parent b4086b8e77
commit cba16879ef
No known key found for this signature in database
GPG key ID: A709160D73C79109
2 changed files with 26 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

43
etc/usbguard/rules.d/30_security-misc.conf
View file

@ -1,22 +1,31 @@
# We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this.
## We allow devices that were plugged in before the daemon starts. Everything
## is blocked as the default. Following rules apply on top of this.
# Explicitly reject any interface that is not documented and/or defined by USB.org
# Note: Most probably superfluous
reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*}
## Explicitly reject any interface that is not documented and/or defined by
## USB.org.
## Note: Most probably superfluous.
reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* }
### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon.
### Take extra measures to ensure security
## Allow all mouses and keyboards, in a sense, so the user can conveniently
## change them without restrating the daemon.
# Allow only one keyboard to be connected
allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })
## Allow only one keyboard to be connected
allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })
## Allow only one mouse to be connected
allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 })
## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID
## devices that do not support a "boot interface". **These are blocked
## entirely.** It is very likely that this will cause issues with some mice
## and keyboards. Also note, all HID devices other than mice and keyboards
## will be blocked, **including touchscreens.**
# Allow only one mouse to be connected
allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 })
# Explicitly reject any device with a mouse/keyboard interface in combination with some other interface
# Mouses and keyboards should only have one interface for all legitimate use cases
## Explicitly reject any device with a mouse/keyboard interface in
## combination with some other interface.
## Mice and keyboards should likely never have non-HID interfaces provided
## alongside them.
reject with-interface all-of { 03:*:* 00:*:* }
reject with-interface all-of { 03:*:* 01:*:* }
reject with-interface all-of { 03:*:* 02:*:* }
reject with-interface all-of { 03:*:* 04:*:* }
reject with-interface all-of { 03:*:* 05:*:* }
reject with-interface all-of { 03:*:* 06:*:* }
reject with-interface all-of { 03:*:* 07:*:* }
@ -39,8 +48,8 @@ reject with-interface all-of { 03:*:* ef:*:* }
reject with-interface all-of { 03:*:* fe:*:* }
reject with-interface all-of { 03:*:* ff:*:* }
# Allow USB mass storage
# If and only if the USB device only has the mass storage interface and nothing extra
# Suspicious interface combinations with mass storage are blocked
## Allow USB mass storage, if and only if the USB device only has the mass
## storage interface and nothing extra.
## Suspicious interface combinations with mass storage are blocked.
allow with-interface equals { 08:*:* }