1USBGUARD(1) USBGUARD(1)
2
3
4
6 usbguard - USBGuard command-line interface
7
9 usbguard [OPTIONS] <subcommand> [SUBCOMMAND-OPTIONS] ...
10
11 usbguard list-devices
12
13 usbguard allow-device id | rule
14
15 usbguard block-device id | rule
16
17 usbguard reject-device id | rule
18
19 usbguard list-rules
20
21 usbguard append-rule rule
22
23 usbguard remove-rule id
24
25 usbguard generate-policy
26
27 usbguard watch
28
29 usbguard read-descriptor file
30
31 usbguard add-user name
32
33 usbguard remove-user name
34
36 The usbguard command provides a command-line interface (CLI) to a
37 running usbguard-daemon(8) instance. It also provides a tool for
38 generating initial USBGuard policies based on USB devices connected to
39 the system.
40
42 list-devices
43 List all USB devices recognized by the USBGuard daemon.
44
45 Available options:
46
47 -a, --allowed
48 List allowed devices.
49
50 -b, --blocked
51 List blocked devices.
52
53 -h, --help
54 Show help.
55
56 allow-device [OPTIONS] <'id' | rule>
57 Authorize a device identified by either the device id or a specific
58 rule to interact with the system. A rule might apply to multiple
59 devices. Note that the device id refers to the very first number of the
60 list-devices command output.
61
62 Available options:
63
64 -p, --permanent
65 Make the decision permanent. A device specific allow rule will be
66 appended to the current policy.
67
68 -h, --help
69 Show help.
70
71 block-device [OPTIONS] <'id' | rule>
72 Deauthorize a device identified by either the device id or a specific
73 rule. A rule might apply to multiple devices. Note that the device id
74 refers to the very first number of the list-devices command output.
75
76 Available options:
77
78 -p, --permanent
79 Make the decision permanent. A device specific block rule will be
80 appended to the current policy.
81
82 -h, --help
83 Show help.
84
85 reject-device [OPTIONS] <'id' | rule>
86 Deauthorize and remove a device identified by either the device id or a
87 specific rule. A rule might apply to multiple devices. Note that the
88 device id refers to the very first number of the list-devices command
89 output.
90
91 Available options:
92
93 -p, --permanent
94 Make the decision permanent. A device specific reject rule will be
95 appended to the current policy.
96
97 -h, --help
98 Show help.
99
100 list-rules [OPTIONS]
101 List the rule set (policy) used by the USBGuard daemon.
102
103 Available options:
104
105 -d, --show-devices
106 Show all devices which are affected by the specific rule.
107
108 -h, --help
109 Show help.
110
111 append-rule [OPTIONS] rule
112 Append the rule to the current rule set.
113
114 Available options:
115
116 -a, --after id
117 Append the new rule after a rule with the specified rule id.
118
119 -h, --help
120 Show help.
121
122 remove-rule [OPTIONS] id
123 Remove a rule identified by the rule id from the rule set.
124
125 Available options:
126
127 -h, --help
128 Show help.
129
130 generate-policy [OPTIONS]
131 Generate a rule set (policy) which authorizes the currently connected
132 USB devices.
133
134 Available options:
135
136 -p, --with-ports
137 Generate port specific rules for all devices. By default, port
138 specific rules are generated only for devices which do not export
139 an iSerial value.
140
141 -P, --no-ports-sn
142 Don’t generate port specific rules for devices without an iSerial
143 value. Without this option, the tool will add a via-port attribute
144 to any device that doesn’t provide a serial number. This is a
145 security measure to limit devices that cannot be uniquely
146 identified to connect only via a specific port. This makes it
147 harder to bypass the policy since the real device will occupy the
148 allowed USB port most of the time.
149
150 -t, --target target
151 Generate an explicit "catch all" rule with the specified target.
152 The target can be one of the following values: allow, block, reject
153
154 -X, --no-hashes
155 Don’t generate a hash attribute for each device.
156
157 -H, --hash-only
158 Generate a hash-only policy.
159
160 -h, --help
161 Show help.
162
163 watch [OPTIONS]
164 Watch the IPC interface events and print them to stdout.
165
166 Available options:
167
168 -w, --wait
169 Wait for IPC connection to become available.
170
171 -o, --once
172 Wait only when starting, if needed. Exit when the connection is
173 lost.
174
175 -e, --exec path
176 Run an executable file located at path for every event. Pass event
177 data to the process via environment variables.
178
179 -h, --help
180 Show help.
181
182 read-descriptor [OPTIONS] file
183 Read a USB descriptor from a file and print it in human-readable form.
184
185 Available options:
186
187 -h, --help
188 Show help.
189
190 add-user name [OPTIONS]
191 Create an IPC access control file allowing the user/group identified by
192 name to use the USBGuard IPC bus. The change takes effect only after
193 restarting the usbguard-daemon(8) instance.
194
195 Available options:
196
197 -u, --user
198 The specified name represents a username or UID (default).
199
200 -g, --group
201 The specified name represents a groupname or GID.
202
203 -p, --policy privileges
204 Policy related privileges.
205
206 -d, --devices privileges
207 Device related privileges.
208
209 -e, --exceptions privileges
210 Exceptions related privileges.
211
212 -P, --parameters privileges
213 Run-time parameter related privileges.
214
215 -h, --help
216 Show help.
217
218 Privileges:
219
220 The privileges are expected to be in the form of a list separated by a
221 colon:
222
223 $ sudo usbguard add-user joe --devices=listen,modify
224
225 Consult the usbguard-daemon.conf(5) man-page for a detailed list of
226 available privileges in each section.
227
228 remove-user name [OPTIONS]
229 Remove an IPC access control file associated with the user/group
230 identified by name. The change takes effect only after restarting the
231 usbguard-daemon(8) instance.
232
233 Available options:
234
235 -u, --user
236 The specified name represents a username or UID (default).
237
238 -g, --group
239 The specified name represents a groupname or GID.
240
241 -h, --help
242 Show help.
243
245 Generating an initial policy:
246
247 Allow device(s):
248
250 usbguard-daemon(8), usbguard-daemon.conf(5), usbguard-rules.conf(5)
251
252
253
254 01/31/2020 USBGUARD(1)