1USBGUARD-DAEMON.CONF(5)                                USBGUARD-DAEMON.CONF(5)
2
3
4

NAME

6       usbguard-daemon.conf - USBGuard daemon configuration file
7

DESCRIPTION

9       The usbguard-daemon.conf file is loaded by the USBGuard daemon after it
10       parses its command-line options. It is used to configure runtime
11       parameters of the daemon. The default search path is
12       /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c
13       command-line option, see usbguard-daemon(8) for further details.
14

OPTIONS

16       RuleFile=path
17           The USBGuard daemon will use this file to load the policy rule set
18           from it and to write new rules received via the IPC interface.
19
20       ImplicitPolicyTarget=target
21               How to treat USB devices that don’t match any rule in the
22           policy. Target should be one of allow, block or reject (logically
23           remove the device node from the system).
24
25       PresentDevicePolicy=policy
26           How to treat USB devices that are already connected when the daemon
27           starts. Policy should be one of allow, block, reject, keep (keep
28           whatever state the device is currently in) or apply-policy
29           (evaluate the rule set for every present device).
30
31       PresentControllerPolicy=policy
32           How to treat USB controller devices that are already connected when
33           the daemon starts. One of allow, block, reject, keep or
34           apply-policy.
35
36       InsertedDevicePolicy=policy
37           How to treat USB devices that are already connected after the
38           daemon starts. One of block, reject, apply-policy.
39
40       RestoreControllerDeviceState=boolean
41           The USBGuard daemon modifies some attributes of controller devices
42           like the default authorization state of new child device instances.
43           Using this setting, you can control whether the daemon will try to
44           restore the attribute values to the state before modification on
45           shutdown.
46
47       DeviceManagerBackend=backend
48           Which device manager backend implementation to use. Backend should
49           be one of uevent (default) or dummy.
50
51       IPCAllowedUsers*=username [username ...]
52           A space delimited list of usernames that the daemon will accept IPC
53           connections from.
54
55       IPCAllowedGroups=groupname [groupname ...]
56           A space delimited list of groupnames that the daemon will accept
57           IPC connections from.
58
59       IPCAccessControlFiles=path
60           The files at this location will be interpreted by the daemon as IPC
61           access control definition files. See the IPC ACCESS CONTROL section
62           for more details.
63
64       DeviceRulesWithPort=boolean
65           Generate device specific rules including the "via-port" attribute.
66
67       AuditBackend=backend
68           USBGuard audit events log backend. The backend value should be one
69           of FileAudit or LinuxAudit.
70
71       AuditFilePath=filepath
72           USBGuard audit events log file path. Required if AuditBackend is
73           set to FileAudit.
74

SECURITY CONSIDERATIONS

76   IPC
77       The daemon provides the USBGuard public IPC interface. Depending on
78       your distribution defaults, access to this interface is limited to a
79       certain group or a specific user only. Please set either the
80       IPCAllowedUsers, IPCAllowedGroups or IPCAccessControlFiles options to
81       limit access to the IPC interface. Do not leave the ACL unconfigured as
82       that will expose the IPC interface to all local users and will allow
83       them to manipulate the authorization state of USB devices and modify
84       the USBGuard policy.
85
86   RestoreControllerDeviceState configuration option
87       If set to true, the USB authorization policy could be bypassed by
88       performing some sort of attack on the daemon (via a local exploit or
89       via a USB device) to make it shutdown and restore to the
90       operating-system default state (known to be permissive).
91

IPC ACCESS CONTROL

93       Access to the USBGuard IPC interface can be limited per user or group.
94       Furthermore, by using the IPC Access Control files, it is possible to
95       limit the access down to the level of Sections and Privileges as
96       explained below.
97
98   Recommended: IPCAccessControlFiles
99       When you set IPCAccessControlFiles option, the daemon will look for IPC
100       access control files in the directory specified by the setting value.
101       Each file in the directory is processed as follows:
102
103        1. The basename of the file is interpreted as an username, UID,
104           groupname or GID. If the names starts with : (colon), it is assumed
105           that the rest of the name represents a group identifier (groupname
106           or GID in case of a numeric-only string). Otherwise, it is
107           interpreted as an user identifier (username or UID in case of
108           numeric-only string).
109
110        2. The contents of the file are parsed as Section=privilege [privilege
111           ...] formatted lines which specify the section privileges. If a
112           section is omitted, it is assumed that no privileges are given for
113           that section.
114
115       Available sections and privileges:
116
117       ·   Devices
118
119           ·   modify: Change authorization state of devices including
120               permanent changes (i.e. modification of device specific rules
121               in the policy).
122
123           ·   list: Ability to get a list of recognized devices and their
124               attributes.
125
126           ·   listen: Listen to device presence and device policy changes.
127
128       ·   Policy
129
130           ·   modify: Append rules to or remove any rules from the policy.
131
132           ·   list: Ability to view the currently enforced policy.
133
134       ·   Exceptions
135
136           ·   listen: Receive exception messages.
137
138       ·   Parameters
139
140           ·   modify: Set values of run-time parameters.
141
142           ·   list: Get values of run-time parameters.
143
144       The following is a generally usable and reasonably safe example of an
145       access control file. It allows to modify USB device authorization state
146       (Devices=modify), list USB devices (Devices=list), listen to USB device
147       related events (Devices=listen), list USB authorization policy rules
148       (Policy=list) and listen to exception events (Exceptions=listen):
149
150           Devices=modify list listen
151           Policy=list
152           Exceptions=listen
153
154       Instead of creating the access control files by yourself, you can use
155       the usbguard add-user or usbguard remove-user CLI commands. See
156       usbguard(1) for more details.
157
158   Legacy: IPCAllowedUsers and IPCAllowedGroups
159       Example configuration allowing full IPC access to users root, joe and
160       members of the group wheel:
161
162           IPCAllowedUsers=root joe
163           IPCAllowedGroups=wheel
164

SEE ALSO

166       usbguard-daemon(8), usbguard-rules.conf(5)
167
168       Unresolved directive in usbguard-daemon.conf.5.adoc -
169       include::footer.adoc[]
170
171
172
173                                  2019-07-27           USBGUARD-DAEMON.CONF(5)
Impressum