1USBGUARD-DAEMON.C(5) USBGUARD-DAEMON.C(5)
2
3
4
6 usbguard-daemon.conf - USBGuard daemon configuration file
7
9 The usbguard-daemon.conf file is loaded by the USBGuard daemon after it
10 parses its command-line options. It is used to configure runtime
11 parameters of the daemon. The default search path is
12 /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c
13 command-line option, see usbguard-daemon(8) for further details.
14
16 RuleFile=path
17 The USBGuard daemon will use this file to load the policy rule set
18 from it and to write new rules received via the IPC interface.
19
20 ImplicitPolicyTarget=target
21 How to treat USB devices that don’t match any rule in the policy.
22 Target should be one of allow, block or reject (logically remove
23 the device node from the system).
24
25 PresentDevicePolicy=policy
26 How to treat USB devices that are already connected when the daemon
27 starts. Policy should be one of allow, block, reject, keep (keep
28 whatever state the device is currently in) or apply-policy
29 (evaluate the rule set for every present device).
30
31 PresentControllerPolicy=policy
32 How to treat USB controller devices that are already connected when
33 the daemon starts. One of allow, block, reject, keep or
34 apply-policy.
35
36 InsertedDevicePolicy=policy
37 How to treat USB devices that are already connected after the
38 daemon starts. One of block, reject, apply-policy.
39
40 RestoreControllerDeviceState=boolean
41 The USBGuard daemon modifies some attributes of controller devices
42 like the default authorization state of new child device instances.
43 Using this setting, you can control whether the daemon will try to
44 restore the attribute values to the state before modification on
45 shutdown.
46
47 DeviceManagerBackend=backend
48 Which device manager backend implementation to use. Backend should
49 be one of uevent (default) or umockdev.
50
51 IPCAllowedUsers*='username' ['username' ...]
52 A space delimited list of usernames that the daemon will accept IPC
53 connections from.
54
55 IPCAllowedGroups='groupname' ['groupname' ...]
56 A space delimited list of groupnames that the daemon will accept
57 IPC connections from.
58
59 IPCAccessControlFiles=path
60 The files at this location will be interpreted by the daemon as IPC
61 access control definition files. See the IPC ACCESS CONTROL section
62 for more details.
63
64 DeviceRulesWithPort=boolean
65 Generate device specific rules including the "via-port" attribute.
66
67 AuditBackend=backend
68 USBGuard audit events log backend. The backend value should be one
69 of FileAudit or LinuxAudit.
70
71 AuditFilePath=filepath
72 USBGuard audit events log file path. Required if AuditBackend is
73 set to FileAudit.
74
76 IPC
77 The daemon provides the USBGuard public IPC interface. Depending on
78 your distribution defaults, access to this interface is limited to a
79 certain group or a specific user only. Please set either the
80 IPCAllowedUsers, IPCAllowedGroups or IPCAccessControlFiles options to
81 limit access to the IPC interface. Do not leave the ACL unconfigured as
82 that will expose the IPC interface to all local users and will allow
83 them to manipulate the authorization state of USB devices and modify
84 the USBGuard policy.
85
86 RestoreControllerDeviceState configuration option
87 If set to true, the USB authorization policy could be bypassed by
88 performing some sort of attack on the daemon (via a local exploit or
89 via a USB device) to make it shutdown and restore to the
90 operating-system default state (known to be permissive).
91
93 Access to the USBGuard IPC interface can be limited per user or group.
94 Furthermore, by using the IPC Access Control files, it is possible to
95 limit the access down to the level of Sections and Privileges as
96 explained below.
97
98 Recommended: IPCAccessControlFiles
99 When you set IPCAccessControlFiles option, the daemon will look for IPC
100 access control files in the directory specified by the setting value.
101 Each file in the directory is processed as follows:
102
103 1. The basename of the file is interpreted as an username, UID,
104 groupname or GID. If the names starts with : (colon), it is assumed
105 that the rest of the name represents a group identifier (groupname
106 or GID in case of a numeric-only string). Otherwise, it is
107 interpreted as an user identifier (username or UID in case of
108 numeric-only string).
109
110 2. The contents of the file are parsed as Section=privilege [privilege
111 ...] formatted lines which specify the section privileges. If a
112 section is omitted, it is assumed that no privileges are given for
113 that section.
114
115 Available sections and privileges:
116
117 · Devices
118
119 · modify: Change authorization state of devices including
120 permanent changes (i.e. modification of device specific rules
121 in the policy).
122
123 · list: Ability to get a list of recognized devices and their
124 attributes.
125
126 · listen: Listen to device presence and device policy changes.
127
128 · Policy
129
130 · modify: Append rules to or remove any rules from the policy.
131
132 · list: Ability to view the currently enforced policy.
133
134 · Exceptions
135
136 · listen: Receive exception messages.
137
138 · Parameters
139
140 · modify: Set values of run-time parameters.
141
142 · list: Get values of run-time parameters.
143
144 The following is a generally usable and reasonably safe example of an
145 access control file. It allows to modify USB device authorization state
146 (Devices=modify), list USB devices (Devices=list), listen to USB device
147 related events (Devices=listen), list USB authorization policy rules
148 (Policy=list) and listen to exception events (Exceptions=listen):
149
150 Devices=modify list listen
151 Policy=list
152 Exceptions=listen
153
154 Instead of creating the access control files by yourself, you can use
155 the usbguard add-user or usbguard remove-user CLI commands. See
156 usbguard(1) for more details.
157
158 Legacy: IPCAllowedUsers and IPCAllowedGroups
159 Example configuration allowing full IPC access to users root, joe and
160 members of the group wheel:
161
162 IPCAllowedUsers=root joe
163 IPCAllowedGroups=wheel
164
166 usbguard-daemon(8), usbguard-rules.conf(5)
167
168
169
170 11/02/2018 USBGUARD-DAEMON.C(5)