Protect your computer against attacks with USB devices by implementing whitelistings and blacklistings with USBGuard.

Table of Contents

Installation and first use

Install usbguard using your system package manager (it’s available on most distros). Then, plug the trusted USB drives and create a default policy to allow them (always run the commands as root):

usbguard generate-policy > /etc/usbguard/rules.conf
  • You can run this command every time you want to remake the policy (remember to restart USBGuard daemon after that).

Start and enable the USBGuard daemon:

systemctl enable --now usbguard.service

Check the list of recognized USB devices to ensure plugged USBs are allowed:

usbguard list-devices

# usbguard list-devices
...
12: allow id 0204:6025 serial "XXXXXXXX" name "Flash Disk" hash "XXXX" parent-hash "XXXX" via-port "2-1" with-interface 08:06:50 with-connect-type "hotplug"
...

Allowing and blocking devices

By default, any USB device that is not explicity allowed, is blocked. To allow the use of a trusted USB, plug it and run usbguard list-devices to check its ID (the first number on the USB record):

# usbguard list-devices
15: block id 1221:3234 serial "XXXXX" name "Flash Disk" hash "XXXX" parent-hash "XXXX" via-port "2-1" with-interface 08:06:50 with-connect-type "hotplug"

Allow the device with usbguard allow-device <ID>:

usbguard allow-device 15

To block a device:

usbguard block-device <ID>

This will allow (or block) the use of the USB drive while it is plugged, but the ID changes every time you plug the device. Also, this only works for the current session. To make the decision permanent, add -p to allow-device or block-device commands:

usbguard allow-device -p 15
  • This will allow the device even when you unplug and re-plug it. Run usbguard list-devices to check that USB device ID changes but keeps it allowed.

List rules

usbguard list-rules

Change default policy

Default policy is block any USB device that is not explicity allowed. To change that, edit /etc/usbguard/usbguard-daemon.conf and change this line:

ImplicitPolicyTarget=block

to:

ImplicitPolicyTarget=allow

Save the file and restart USBGuard daemon:

systemctl restart usbguard.service

Do this only when you want to temporarily disable USBGuard restrictions on new devices.

Disable USBGuard permanently

First, disable the USBGuard service, so it doesn’t start with the next boot.

systemctl disable usbguard.service

Then, reboot your computer. After rebooted, you can use the USB devices like before activating USBGuard. You can now uninstall the usbguard package if you want.

If you have any suggestion, feel free to contact me via social media or email.