USBGuard is a software framework that helps protect your systems against rogue USB devices (a.k.a. BadUSB) by implementing basic allowlisting and blocklisting capabilities. This allows you to define access control for USB devices based on device attributes. In case you are not familiar with USBGuard, take a look at Protecting systems against intrusive USB devices. Here is a summary of some of the new features in USBGuard that we delivered in Red Hat Enterprise Linux (RHEL) 8.3.
Comments in rules configuration files
Complex configuration files, such as USBGuard rules, sometimes require complex syntax. In order to improve usability, we enabled using comments in rules configuration files. USBGuard uses the “#” symbol for block comments, so everything after this character to the end of line is ignored. We recommend using a blank line above the comment to physically place it closer to the line below than the line above:
# Allow USB mass storage devices (USB flash disks)
allow with-interface equals { 08:*:* }
The rules.d folder
With the 0.7.8 version available in RHEL 8.3, users can have multiple rules files inside the rules.d directory. By default, the location of this folder is /etc/usbguard/rules.d/ but you can change it in the configuration file. The USBGuard daemon behaves like any other standard Linux daemon and loads rules files in alphanumeric order. When naming files inside the rules.d directory, you should start with a two-digit number prefix indicating the order in which the daemon reads the rules.
For example, your rules.d folder might look like this:
-
A generic configuration (mice, keyboards, host controllers) required for every workstation in /etc/usbguard/rules.d/00_general.conf
-
A list of USB headsets in /etc/usbguard/rules.d/10_headsets.conf
-
A list of allowed USB storage devices in /etc/usbguard/rules.d/20_usbstorage.conf
-
A list of blocked or rejected devices in /etc/usbguard/rules.d/30_reject-or-block.conf
Improved security
Security is a big concern on the current market. To take it to the next level, we introduced a new configuration option inside usbguard-daemon.conf (/etc/usbguard/usbguard-daemon.conf). By default, device identification is stored in system logs. To prevent storing this information in the logs, set the HidePII option to true in the usbguard-daemon.conf file.
# # Hides personally identifiable information such as device # serial numbers and hashes of descriptors (which include the serial number) from audit entries. HidePII=true
Introduce with-connect-type attribute to rule language
Have you ever wanted to distinguish whether a device is integrated to the laptop or connected via a USB cable? Now you can determine device connection type by adding the with-connect-type attribute to your rule file. Please see the usbguard-rules.conf(5) manual page for further details.
Temporary rules
If you are not familiar with writing USBGuard rules, you might want to test them first before making them permanent. Also, in the case that a temporary rule blocks you from interacting with one of the devices, there is no need to restart your machine. You can now append temporary rules to the rule set using the -t command line option, for example:
$ usbguard append-rule -t SOME_RULE
This ensures that the appended rule remains in memory only until the daemon restarts. After you are done testing, you can restart the daemon:
$ sudo systemctl restart usbguard.service
Policy generation for a specific device
To create a rule just for a specific device, such as a plugged in keyboard at /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1, use the generate-policy command, for example:
$ usbguard generate-policy -d /devices/pci0000:00/0000:00:14.0/usb1/1-1
Allow/Block/Reject-device using a single rule
Until now, users of USBGuard could allow devices by using device ID. This was not very user-friendly due to the fact that it required executing a separate command for each device. Now, USBGuard can handle rule strings, and a target will be applied on each device that matches the specified rule string.
Let’s assume that you just plugged in a wired keyboard and mouse that are not allowed by default. You could allow them for use with the following:
$ usbguard allow-device match with-connect-type \"hotplug\"
The block-device and reject-device commands have the same syntax as the allow-device command.
SELinux subpackage
USBGuard now provides its own SELinux policy in usbguard-selinux. The USBGuard daemon is confined under the usbguard_t domain. You can install the policy with the usbguard-selinux subpackage:
$ sudo dnf install usbguard-selinux
Notifier subpackage
Desktop users want to know if the device they have plugged in is allowed for use or not. Until now, the only way for a user to tell if a device is allowed was to see if it is mounted, which really was not very helpful. For this reason, we introduced usbguard-notifier which creates user-friendly notifications in the form of quick pop-up messages. It detects modifications to USBGuard policy and changes in device presence.
To enable desktop notifications, perform the following steps:
-
Install the
usbguard-notifier
package
# sudo dnf install usbguard-notifier
-
Ensure that the `usbguard` service is running in the background
# sudo systemctl start usbguard
-
Enable notifier for the current user
$ systemctl enable --now --user usbguard-notifier.service
When you are done, you will see notifications popping up on your screen when the policy changes or a device is inserted or removed.
Conclusion
As technology advances, there are USB sticks that can destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware—not to mention “clean” USB sticks that can be used to sneak out sensitive data from your system.
USBGuard can help stop these attacks. It's a great addition to anyone needing to protect a Linux system
執筆者紹介
Attila is part of the Special Projects Team at Red Hat, focused on productization and development of security technologies such as Advanced Intrusion Detection Environment (AIDE), sudo, USBGuard and rsyslog.
類似検索
チャンネル別に見る
自動化
テクノロジー、チーム、環境にまたがる自動化プラットフォームの最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit