Protecting against rogue USB devices

USBGuard is a software framework that helps protect your systems from unauthorized USB devices (also called BadUSB) by implementing basic permissions and blacklists. Allows you to set the access control to USB devices based on the attributes of the device. If you are unfamiliar with USBGuard, make sure to protect systems from unauthorized access to USB devices. Here is a summary of some of the new USBGuard features we have made available in Red Hat Enterprise Linux (RHEL) 8.3.

Notes in the line configuration files

Complex configuration files, such as B. USBGuard rules, which sometimes require complex syntax. To improve usability, we have included the use of comments in the line configuration files. The USBGuard uses the # character for block comments, so anything that follows this character until the end of the line is ignored. It is advisable to use a white line above the comment to place it physically closer to the line below than above:

# { 08:*:* } Makes USB drives (memory sticks)
Allowed with an interface equal to { 08:*:* } } { 08:*:* }

Rules for administration.d

With version 0.7.8, available in RHEL 8.3, users can have multiple line files in the rules.d folder. By default, this folder is located in /etc/usbguard/rules.d/, but you can change it in the configuration file. The USBGuard daemon behaves like any other standard Linux daemon and loads the control files in alphanumeric order. When naming files in the rules.d directory, you must start with a two-character prefix that indicates the order in which the daemon reads the rules.

For example, your rules.d folder may look like this

  1. General configuration (mouse, keyboards, host controllers) required for each workstation in /etc/usbguard/rules.d/00_general.conf.
  2. List of USB headsets in /etc/usbguard/rules.d/10_headsets.conf
  3. List of allowed USB sticks in /etc/usbguard/rules.d/20_usbstorage.conf
  4. List of blocked or rejected devices in /etc/usbguard/lines.d/30_reject-or-block.conf.

Safety improvement

Safety is an important issue in today’s market. To take it to the next level, we have introduced a new configuration option in usbguarddaemon.conf (/etc/usbguard/usbguarddaemon.conf). The device identification is stored in the system logs by default. To prevent this information from being stored in the logs, set the HidePII option in the file usbguard-daemon.conf to where.

# Hides personal information like the device.

# Serial numbers and descriptive hashes (containing the serial number) of the audit records.

Enter the attribute with connection type in the control language

Have you ever wanted to know if a device is integrated in your laptop or connected via a USB cable? You can now define the connection type of the device by adding an attribute with connection type to the line file. For more information, see the usbguardrules.conf(5) manual page.

Provisional rules

If you are unfamiliar with writing USBGuard rules, you should test them first before finally capturing them. In addition, if a temporary rule blocks your interaction with one of the devices, there is no need to restart the device. For example, you can now add temporary rules to the ruleset. B. with the command line option -t :

usbguard attachment line -t SOME RULES

This ensures that the added line remains in memory only until the daemon is restarted. Once the test is complete, you can restart the daemon:

$ sudo systemctl reboot usbguard.service

Device-specific policy Generation

To generate a device-specific rule, for example B. for a keyboard connected in /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1, use e. B. the policy command:

$ usbguard generation policy -d /devices/pci0000:00/0000:00:14.0/usb1/1-1

Single-line activation/deactivation

Until now, USBGuard users were able to authorize devices based on ID. This was not very practical, because a separate command had to be executed for each aircraft. The USBGuard can now process control chains and the destination corresponding to the specified control chain is applied to each device.

Suppose you have just connected a wired keyboard and mouse, which are not allowed by default. You can allow its use with the following:

usbguard authorization device $ matching hot-plug type connector

The block-device and reject-device commands have the same syntax as the allow-device command.

Partial packaging SELinux

USBGuard now offers its own SELinux policy in usbguard-selinux. The USBGuard daemon is limited to the domain usbguard_t. You can install the policy using the subpackage usbguard-selinux :

$ sudo dnf install usbguard-selinux

Notification Sub-package

Desktop users want to know if their connected device can be used. Until now, the only way for a user to know if a device was activated was to see if it was mounted, which didn’t really help. That’s why we’ve introduced usbguard alert, which creates easy-to-use notifications in the form of quick pop-up messages. Detects changes in USBGuard policy and changes in the presence of the device.

Follow these steps to enable desk notifications:

  1. Installing the usbguard notification package

# sudo dnf install usbguard notify

  1. Make sure the daycare runs in the background.

# sudo systemctl start usbguard

  1. Enable notification for the current user

turn on $ systemctl –now –user usbguard-notifier.service

When you are finished, the screen displays notifications that the policy has changed or that the device has been inserted or removed.


Due to technological progress, there are USB sticks that can destroy your computer, USB sticks loaded with spyware and even official company USB sticks infected with malware, not to mention empty USB sticks that can be used to secretly extract sensitive data from your system.

USBGuard can help stop these attacks. This is a great addition for anyone who needs to protect his or her Linux system.

Related Tags:

linux usbguard,usbguard/rules,usbguard centos 6,usbguard download,identify rogue devices on network,rogue station attack,find rogue device on network,rogue meaning,usbguard linux,github usbguard,usb guard github,usbguard allow all keyboard,configure usb guard,how to prevent rogue devices on network,rogue device detection software,usbguard,open source rogue device detection,usbguard examples,usb blocker linux,usbguard windows