table of contents
USBGUARD-DAEMON.C(5) | USBGUARD-DAEMON.C(5) |
NAME¶
usbguard-daemon.conf - USBGuard daemon configuration file
DESCRIPTION¶
The usbguard-daemon.conf file is loaded by the USBGuard daemon after it parses its command-line options. It is used to configure runtime parameters of the daemon. The default search path is /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c command-line option, see usbguard-daemon(8) for further details.
OPTIONS¶
RuleFile=path
RuleFolder=path
ImplicitPolicyTarget=target
PresentDevicePolicy=policy
PresentControllerPolicy=policy
InsertedDevicePolicy=policy
AuthorizedDefault=authorizedDefault
RestoreControllerDeviceState=boolean
DeviceManagerBackend=backend
IPCAllowedUsers=username [username ...]
IPCAllowedGroups=groupname [groupname ...]
IPCAccessControlFiles=path
DeviceRulesWithPort=boolean
AuditBackend=backend
AuditFilePath=filepath
HidePII=boolean
SECURITY CONSIDERATIONS¶
IPC¶
The daemon provides the USBGuard public IPC interface. Depending on your distribution defaults, access to this interface is limited to a certain group or a specific user only. Please set either the IPCAllowedUsers, IPCAllowedGroups or IPCAccessControlFiles options to limit access to the IPC interface. Do not leave the ACL unconfigured as that will expose the IPC interface to all local users and will allow them to manipulate the authorization state of USB devices and modify the USBGuard policy.
RestoreControllerDeviceState configuration option¶
If set to true, the USB authorization policy could be bypassed by performing some sort of attack on the daemon (via a local exploit or via a USB device) to make it shutdown and restore to the operating-system default state (known to be permissive).
IPC ACCESS CONTROL¶
Access to the USBGuard IPC interface can be limited per user or group. Furthermore, by using the IPC Access Control files, it is possible to limit the access down to the level of Sections and Privileges as explained below.
Recommended: IPCAccessControlFiles¶
When you set IPCAccessControlFiles option, the daemon will look for IPC access control files in the directory specified by the set value. Each file in the directory is processed as follows:
Available sections and privileges:
The following is a generally usable and reasonably safe example of an access control file. It allows one to modify USB device authorization state (Devices=modify), list USB devices (Devices=list), listen to USB device related events (Devices=listen), list USB authorization policy rules (Policy=list) and listen to exception events (Exceptions=listen):
Devices=modify,list,listen Policy=list Exceptions=listen
You can create or remove the IPC access control files using usbguard add-user and usbguard remove-user CLI commands. See usbguard(1) for more details. If you want to create the IPC access control files manually, you need to set the files permissions to 0600.
Legacy: IPCAllowedUsers and IPCAllowedGroups¶
Example configuration allowing full IPC access to users root, joe and members of the group wheel:
IPCAllowedUsers=root joe IPCAllowedGroups=wheel
SEE ALSO¶
BUGS¶
If you find a bug in this software or if you’d like to request a feature to be implemented, please file a ticket at https://github.com/USBGuard/usbguard/issues/new.
AUTHOR¶
USBGuard was originally written by Daniel Kopeček. Many people have contributed to it.
RESOURCES¶
Main web site: https://usbguard.github.io/
COPYING¶
License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
01/12/2023 |