USBGuard improvements in Red Hat Enterprise Linux 8.3: Protecting against rogue USB devices

USBGuard is a software framework that helps protect your systems against rogue USB devices (a.k.a. BadUSB) by implementing basic allowlisting and blocklisting capabilities. This allows you to define access control for USB devices based on device attributes. In case you are not familiar with USBGuard, take a look at Protecting systems against intrusive USB devices. Here is a summary of some of the new features in USBGuard that we delivered in Red Hat Enterprise Linux (RHEL) 8.3. 

Comments in rules configuration files

Complex configuration files, such as USBGuard rules, sometimes require complex syntax. In order to improve usability, we enabled using comments in rules configuration files. USBGuard uses the “#” symbol for block comments, so everything after this character to the end of line is ignored. We recommend using a blank line above the comment to physically place it closer to the line below than the line above:

​# Allow USB mass storage devices (USB flash disks)
allow with-interface equals { 08:*:* }

The rules.d folder

With the 0.7.8 version available in RHEL 8.3, users can have multiple rules files inside the rules.d directory. By default, the location of this folder is /etc/usbguard/rules.d/ but you can change it in the configuration file. The USBGuard daemon behaves like any other standard Linux daemon and loads rules files in alphanumeric order. When naming files inside the rules.d directory, you should start with a two-digit number prefix indicating the order in which the daemon reads the rules.

For example, your rules.d folder might look like this:

1. A generic configuration (mice, keyboards, host controllers) required for every workstation in /etc/usbguard/rules.d/00_general.conf

2. A list of USB headsets in /etc/usbguard/rules.d/10_headsets.conf

3. A list of allowed USB storage devices in /etc/usbguard/rules.d/20_usbstorage.conf

4. A list of blocked or rejected devices in /etc/usbguard/rules.d/30_reject-or-block.conf

Improved security

Security is a big concern on the current market. To take it to the next level, we introduced a new configuration option inside usbguard-daemon.conf (/etc/usbguard/usbguard-daemon.conf). By default, device identification is stored in system logs. To prevent storing this information in the logs, set the HidePII option to true in the usbguard-daemon.conf file.

#
# Hides personally identifiable information such as device

# serial numbers and hashes of descriptors (which include the serial number) from audit entries.
HidePII=true

Introduce with-connect-type attribute to rule language

Have you ever wanted to distinguish whether a device is integrated to the laptop or connected via a USB cable? Now you can determine device connection type by adding the with-connect-type attribute to your rule file. Please see the usbguard-rules.conf(5) manual page for further details.

Temporary rules

If you are not familiar with writing USBGuard rules, you might want to test them first before making them permanent. Also, in the case that a temporary rule blocks you from interacting with one of the devices, there is no need to restart your machine. You can now append temporary rules to the rule set using the -t command line option, for example:

$ usbguard append-rule -t SOME_RULE

This ensures that the appended rule remains in memory only until the daemon restarts. After you are done testing, you can restart the daemon:

$ sudo systemctl restart usbguard.service

Policy generation for a specific device

To create a rule just for a specific device, such as a plugged in keyboard at /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1, use the generate-policy command, for example:

$ usbguard generate-policy -d /devices/pci0000:00/0000:00:14.0/usb1/1-1

$ usbguard allow-device match with-connect-type \"hotplug\"

The block-device and reject-device commands have the same syntax as the allow-device command.

SELinux subpackage

USBGuard now provides its own SELinux policy in usbguard-selinux. The USBGuard daemon is confined under the usbguard_t domain. You can install the policy with the usbguard-selinux subpackage:

$ sudo dnf install usbguard-selinux

Notifier subpackage

Desktop users want to know if the device they have plugged in is allowed for use or not. Until now, the only way for a user to tell if a device is allowed was to see if it is mounted, which really was not very helpful. For this reason, we introduced usbguard-notifier which creates user-friendly notifications in the form of quick pop-up messages. It detects modifications to USBGuard policy and changes in device presence.

To enable desktop notifications, perform the following steps:

1. Install the usbguard-notifier package

# sudo dnf install usbguard-notifier

2. Ensure that the `usbguard` service is running in the background

# sudo systemctl start usbguard

3. Enable notifier for the current user

$ systemctl enable --now --user usbguard-notifier.service

When you are done, you will see notifications popping up on your screen when the policy changes or a device is inserted or removed.

Conclusion

As technology advances, there are USB sticks that can destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware—not to mention “clean” USB sticks that can be used to sneak out sensitive data from your system.

USBGuard can help stop these attacks. It's a great addition to anyone needing to protect a Linux system