🛡️In today’s cybersecurity landscape, network defenses alone aren’t enough!
Threat actors can bypass firewalls with rogue USB devices—often disguised as innocuous thumb drives or peripherals. The result? Malware infections, data exfiltration, or even system destruction. That’s where USBGuard comes in: a robust Linux tool that acts as a USB “firewall”, allowing devices by policy and blocking everything else by default.
Why USBGuard?
USBGuard protects your Linux system from “BadUSB” attacks—those crafted to impersonate or compromise USB devices. USBGuard works by enforcing access control via whitelist (allow), blacklist (block), or reject rules, based on device attributes like vendor ID, serial number, and more.
Getting Started
1. Installation & Initial Policy
sudo apt install usbguard # on Ubuntu/Debian
sudo dnf install usbguard # on RHEL/Fedora
Generate an initial policy based on connected devices:
usbguard generate-policy > rules.conf
sudo mv rules.conf /etc/usbguard/rules.conf
sudo systemctl enable --now usbguard.service
This ensures your trusted devices are allowed, and everything else is blocked.
Viewing USBGuard rules
Next cd into /etc/usbguard directory as the root user. So login as the root user: sudo -i OR su -
Now list files and look for the rules.conf file:ls -l
total 16
drwxr-xr-x. 2 root root 4096 Mar 31 13:32 IPCAccessControl.d
-rw-------. 1 root root 0 Mar 31 13:32 rules.conf
drwxr-xr-x. 2 root root 4096 Mar 31 13:32 rules.d
-rw-------. 1 root root 5366 Mar 31 12:57 usbguard-daemon.conf
Rule types:
There are 3 types of target rules for each USB device:
Refer to the USBGuard docs at https://usbguard.github.io/documentation/rule-language
allow – Authorize the USB device.
block – Do not authorize the USB device, but the system can still see (visible) the device using the lsusb command. However, users can not use the USB device as it remains blocked until the sysadmin authorizes it. (block the device)
reject – Do not authorize the USB device, and the device is not visible to the system or users. The USB device needs to be re-inserted again to become visible again. (reject the device)
2. Crafting Custom Rules
Modify /etc/usbguard/rules.conf to fine-tune access. Example rule templates:
# Allow only keyboards and mice
allow with-interface equals { 03:*:* }
This permits HID devices while blocking others.
3. Organizing with rules.d
On systems like RHEL 8.3+, USBGuard supports multiple rule files in /etc/usbguard/rules.d/, loaded in lexicographical order. Use numbered prefixes to control loading priority.
4. Temporary Rules for Testing
Before finalizing, test rules with:
sudo usbguard append-rule -t 'allow-device match ...'
These take effect immediately but expire on service restart, making safe experimentation pretty easy.
5. Device-Specific Policy Generation
Pinpoint a single device and generate a rule like:
usbguard generate-policy -d /sys/devices/.../usbX/Y-Z
This locks in its attributes very precisely.
6. Device Actions
USBGuard supports dynamic management:
usbguard allow-device match with-connect-type "hotplug"
usbguard block-device match ...
usbguard reject-device match ...
You can block or reject hotplugged devices by attributes like connection type.
USBGuard Advanced Features
- HidePII: Enable
HidePII=truein/etc/usbguard/usbguard-daemon.confto suppress sensitive data (serial numbers, hashes) from logs. - SELinux Integration: Install
usbguard-selinuxfor enforced confinement of the USBGuard daemon underusbguard_t. - Desktop Notifier: On desktop systems, install
usbguard-notifier. It triggers pop-up alerts when USB policy changes or a device plugs.
Real-World Effectiveness
USBGuard is a well-supported open source project included in major Linux distos. Coupled with SELinux and desktop notifications, it forms a comprehensive defense against USB-based threats—from malicious firmware attacks to unauthorized data transfers.
Takeaway: Defend USB, Protect Your Ass(ets)!
USB remains one of the most underrated vectors for attack. Even a single rogue device can compromise your entire Linux workstation. USBGuard lets you adopt a “default-deny, whitelist-allow” posture—ideal for both home users and enterprise environments. It’s practical, powerful, and easy to manage.
Leave a Reply
You must be logged in to post a comment.