USBGuard: block untrusted USB devices
Protect your computer against attacks with USB devices by implementing whitelistings and blacklistings with USBGuard.
Table of Contents
- Installation and first use
- Allowing and blocking devices
- List rules
- Change default policy
- Disable USBGuard permanently
Installation and first use
usbguard using your system package manager (it’s available on most distros). Then, plug the trusted USB drives and create a default policy to allow them (always run the commands as root):
usbguard generate-policy > /etc/usbguard/rules.conf
- You can run this command every time you want to remake the policy (remember to restart USBGuard daemon after that).
Start and enable the USBGuard daemon:
systemctl enable --now usbguard.service
Check the list of recognized USB devices to ensure plugged USBs are allowed:
# usbguard list-devices ... 12: allow id 0204:6025 serial "XXXXXXXX" name "Flash Disk" hash "XXXX" parent-hash "XXXX" via-port "2-1" with-interface 08:06:50 with-connect-type "hotplug" ...
Allowing and blocking devices
By default, any USB device that is not explicity allowed, is blocked. To allow the use of a trusted USB, plug it and run
usbguard list-devices to check its ID (the first number on the USB record):
# usbguard list-devices 15: block id 1221:3234 serial "XXXXX" name "Flash Disk" hash "XXXX" parent-hash "XXXX" via-port "2-1" with-interface 08:06:50 with-connect-type "hotplug"
Allow the device with
usbguard allow-device <ID>:
usbguard allow-device 15
To block a device:
usbguard allow-device <ID>
This will allow (or block) the use of the USB drive while it is plugged, but the ID changes every time you plug the device. Also, this only works for the current session. To make the decision permanent, add
usbguard allow-device -p 15
- This will allow the device even when you unplug and re-plug it. Run
usbguard list-devicesto check that USB device ID changes but keeps it allowed.
Change default policy
Default policy is block any USB device that is not explicity allowed. To change that, edit
/etc/usbguard/usbguard-daemon.conf and change this line:
Save the file and restart USBGuard daemon:
systemctl restart usbguard.service
Do this only when you want to temporarily disable USBGuard restrictions on new devices.
Disable USBGuard permanently
First, disable the USBGuard service, so it doesn’t start with the next boot.
systemctl disable usbguard.service
Then, reboot your computer. After rebooted, you can use the USB devices like before activating USBGuard. You can now uninstall the
usbguard package if you want.
If you have any suggestion, feel free to contact me via social media or email.