usbguard v1.1 releases: implementing USB device authorization policies
USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as the method of use policies (how a USB device may interact with the system). Simply put, it is a USB device whitelisting tool.
Features
- Rule language for writing USB device authorization policies
- Daemon component with an IPC interface for dynamic interaction and policy enforcement
- Command-line and GUI interface to interact with a running USBGuard instance
- C++ API for interacting with the daemon component implemented in a shared library
USBGuard works only on Linux.
Changelog v1.1
Added
- Started building with C++17
- Tree-like list-devices output
- Added CAP_AUDIT_WRITE capability to service file
- Added support for lower OpenSSL versions prior to 1.1.0
- Added a new signal: DevicePolicyApplied
Fixed/Changed
- Moved PIDFile from /var/run to /run
- Fixed linker isssues with disable-static
- Enhanced bash-completion script
- Make username/group checking consistent with useradd manual page definition
(with addition of capital letters) - Fixed multiple IPC related bugs
- Fixed race condition when accessing port/connect_type for USB devices
- Using bundled catch v2.13.8
- Using bundled PEGTL v3.2.5
- Fixed usbguard-rule-parser file opening
- Fix unauthorized access via D-Bus [CVE-2019-25058]
Installation
$ git clone https://github.com/USBGuard/usbguard.git $ ./configure --with-crypto-library=sodium # or "gcrypt", based on your preference $ make $ sudo make install $ make check
The usbguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in usbguard-rules.conf(5). The policy and the authorization state of USB devices can be modified during runtime using the usbguard(1) tool.
The usbguard-daemon.conf file is loaded by the USBGuard daemon after it parses its command-line options. It is used to configure runtime parameters of the daemon. The default search path is /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c command-line option, see usbguard-daemon(8) for further details.
The usbguard-rules.conf file is loaded by the USBGuard daemon after it parses the main configuration file, usbguard-daemon.conf(5). The daemon expects the file to contain rules written in a language which is described in the Rule Language section below. The USBGuard daemon decides which USB device to authorize based on a policy defined by a set of rules. When a USB device is inserted into the system, the daemon scans the existing rules sequentially. If a matching rule is found, it either authorizes (allows), deauthorizes (blocks) or removes (rejects) the device, based on the rule target. If no matching rule is found, the decision is based on an implicit default target. This implicit default is to block the device until a decision is made by the user.
Copyright © 2015-2017 Red Hat, Inc.
