1USBGUARD(1) USBGUARD(1)
2
6 usbguard - USBGuard command-line interface
7
9 usbguard [OPTIONS] <subcommand> [SUBCOMMAND-OPTIONS] ...
10 usbguard list-devices
12 usbguard allow-device id | rule
14 usbguard block-device id | rule
16 usbguard reject-device id | rule
18 usbguard list-rules
20 usbguard append-rule rule
22 usbguard remove-rule id
24 usbguard generate-policy
26 usbguard watch
28 usbguard read-descriptor file
30 usbguard add-user name
32 usbguard remove-user name
34
36 The usbguard command provides a command-line interface (CLI) to a
37 running usbguard-daemon(8) instance. It also provides a tool for
38 generating initial USBGuard policies based on USB devices connected to
39 the system.
40
42 list-devices
43 List all USB devices recognized by the USBGuard daemon.
44 Available options:
46 -a, --allowed
48 List allowed devices.
49 -b, --blocked
51 List blocked devices.
52 -h, --help
54 Show help.
55 allow-device [OPTIONS] <'id' | rule>
57 Authorize a device identified by either the device id or a specific
58 rule to interact with the system. A rule might apply to multiple
59 devices. Note that the device id refers to the very first number of the
60 list-devices command output.
61 Available options:
63 -p, --permanent
65 Make the decision permanent. A device specific allow rule will be
66 appended to the current policy.
67 -h, --help
69 Show help.
70 block-device [OPTIONS] <'id' | rule>
72 Deauthorize a device identified by either the device id or a specific
73 rule. A rule might apply to multiple devices. Note that the device id
74 refers to the very first number of the list-devices command output.
75 Available options:
77 -p, --permanent
79 Make the decision permanent. A device specific block rule will be
80 appended to the current policy.
81 -h, --help
83 Show help.
84 reject-device [OPTIONS] <'id' | rule>
86 Deauthorize and remove a device identified by either the device id or a
87 specific rule. A rule might apply to multiple devices. Note that the
88 device id refers to the very first number of the list-devices command
89 output.
90 Available options:
92 -p, --permanent
94 Make the decision permanent. A device specific reject rule will be
95 appended to the current policy.
96 -h, --help
98 Show help.
99 list-rules [OPTIONS]
101 List the rule set (policy) used by the USBGuard daemon.
102 Available options:
104 -d, --show-devices
106 Show all devices which are affected by the specific rule.
107 -h, --help
109 Show help.
110 append-rule [OPTIONS] rule
112 Append the rule to the current rule set.
113 Available options:
115 -a, --after id
117 Append the new rule after a rule with the specified rule id.
118 -h, --help
120 Show help.
121 remove-rule [OPTIONS] id
123 Remove a rule identified by the rule id from the rule set.
124 Available options:
126 -h, --help
128 Show help.
129 generate-policy [OPTIONS]
131 Generate a rule set (policy) which authorizes the currently connected
132 USB devices.
133 Available options:
135 -p, --with-ports
137 Generate port specific rules for all devices. By default, port
138 specific rules are generated only for devices which do not export
139 an iSerial value.
140 -P, --no-ports-sn
142 Don’t generate port specific rules for devices without an iSerial
143 value. Without this option, the tool will add a via-port attribute
144 to any device that doesn’t provide a serial number. This is a
145 security measure to limit devices that cannot be uniquely
146 identified to connect only via a specific port. This makes it
147 harder to bypass the policy since the real device will occupy the
148 allowed USB port most of the time.
149 -t, --target target
151 Generate an explicit "catch all" rule with the specified target.
152 The target can be one of the following values: allow, block, reject
153 -X, --no-hashes
155 Don’t generate a hash attribute for each device.
156 -H, --hash-only
158 Generate a hash-only policy.
159 -h, --help
161 Show help.
162 watch [OPTIONS]
164 Watch the IPC interface events and print them to stdout.
165 Available options:
167 -w, --wait
169 Wait for IPC connection to become available.
170 -o, --once
172 Wait only when starting, if needed. Exit when the connection is
173 lost.
174 -e, --exec path
176 Run an executable file located at path for every event. Pass event
177 data to the process via environment variables.
178 -h, --help
180 Show help.
181 read-descriptor [OPTIONS] file
183 Read a USB descriptor from a file and print it in human-readable form.
184 Available options:
186 -h, --help
188 Show help.
189 add-user name [OPTIONS]
191 Create an IPC access control file allowing the user/group identified by
192 name to use the USBGuard IPC bus. The change takes effect only after
193 restarting the usbguard-daemon(8) instance.
194 Available options:
196 -u, --user
198 The specified name represents a username or UID (default).
199 -g, --group
201 The specified name represents a groupname or GID.
202 -p, --policy privileges
204 Policy related privileges.
205 -d, --devices privileges
207 Device related privileges.
208 -e, --exceptions privileges
210 Exceptions related privileges.
211 -P, --parameters privileges
213 Run-time parameter related privileges.
214 -h, --help
216 Show help.
217 Privileges:
219 The privileges are expected to be in the form of a list separated by a
221 colon:
222 $ sudo usbguard add-user joe --devices=listen,modify
224 Consult the usbguard-daemon.conf(5) man-page for a detailed list of
226 available privileges in each section.
227 remove-user name [OPTIONS]
229 Remove an IPC access control file associated with the user/group
230 identified by name. The change takes effect only after restarting the
231 usbguard-daemon(8) instance.
232 Available options:
234 -u, --user
236 The specified name represents a username or UID (default).
237 -g, --group
239 The specified name represents a groupname or GID.
240 -h, --help
242 Show help.
243
245 Generating an initial policy:
246 Allow device(s):
248
250 usbguard-daemon(8), usbguard-daemon.conf(5), usbguard-rules.conf(5)
251 01/31/2020 USBGUARD(1)