usbguard v0.7.5 releases: implementing USB device authorization policies
USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as the method of use policies (how a USB device may interact with the system). Simply put, it is a USB device whitelisting tool.
- Rule language for writing USB device authorization policies
- Daemon component with an IPC interface for dynamic interaction and policy enforcement
- Command line and GUI interface to interact with a running USBGuard instance
- C++ API for interacting with the daemon component implemented in a shared library
USBGuard works only on Linux.
- Added daemon configuration option HidePII
- Added check to avoid conflict between ASAN and TSAN
- Added daemon configuration option for authorized_default
- Added devpath option to generate-policy
- Added # line comments to the rule grammar
- Added ImplicitPolicyTarget to get/set parameter methods
- Added option to filter rules by label when listing
- Added the label attribute to rule
- Added PropertyParameterChanged signal
- Added support for portX/connect_type attribute
- Added temporary option to append-rule
- Added versioning to DBus service
- Added optional LDAP support
- Fixed invalid return value in Rule::Attribute::setSolveEqualsOrdered
- Fixed KeyValueParser to validate keys only when known names are set
- Fixed uninitialized variables found by coverity
- Fixes and cleanups based on LGTM.com report
- Hardened systemd service
- Rename ListRules parameter ‘query’ to ‘label’
- Skip empty lines in usbguard-rule-parser
- The proof-of-concept Qt applet was removed. It is going to be maintained in a simplified form as a separate project.
$ git clone https://github.com/USBGuard/usbguard.git $ ./configure --with-crypto-library=sodium # or "gcrypt", based on your preference $ make $ sudo make install $ make check
The usbguard-daemon is the main component of the USBGuard software framework. It runs as a service in the background and enforces the USB device authorization policy for all USB devices. The policy is defined by a set of rules using a rule language described in usbguard-rules.conf(5). The policy and the authorization state of USB devices can be modified during runtime using the usbguard(1) tool.
The usbguard-daemon.conf file is loaded by the USBGuard daemon after it parses its command-line options. It is used to configure runtime parameters of the daemon. The default search path is /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c command-line option, see usbguard-daemon(8) for further details.
The usbguard-rules.conf file is loaded by the USBGuard daemon after it parses the main configuration file, usbguard-daemon.conf(5). The daemon expects the file to contain rules written in a language which is described in the Rule Language section below. The USBGuard daemon decides which USB device to authorize based on a policy defined by a set of rules. When a USB device is inserted into the system, the daemon scans the existing rules sequentially. If a matching rule is found, it either authorizes (allows), deauthorizes (blocks) or removes (rejects) the device, based on the rule target. If no matching rule is found, the decision is based on an implicit default target. This implicit default is to block the device until a decision is made by the user.
Copyright © 2015-2017 Red Hat, Inc.