1USBGUARD-DAEMON.C(5) USBGUARD-DAEMON.C(5)
2
3
4
6 usbguard-daemon.conf - USBGuard daemon configuration file
7
9 The usbguard-daemon.conf file is loaded by the USBGuard daemon after it
10 parses its command-line options. It is used to configure runtime
11 parameters of the daemon. The default search path is
12 /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c
13 command-line option, see usbguard-daemon(8) for further details.
14
16 RuleFile=path
17 The USBGuard daemon will use this file to load the policy rule set
18 from it and to write new rules received via the IPC interface.
19 Default: %sysconfdir%/usbguard/rules.conf
20
21 RuleFolder=path
22 The USBGuard daemon will use this folder to load the policy rule
23 set from it and to write new rules received via the IPC interface.
24 Usually, we set the option to /etc/usbguard/rules.d/. The USBGuard
25 daemon is supposed to behave like any other standard Linux daemon
26 therefore it loads rule files in alpha-numeric order. File names
27 inside RuleFolder directory should start with a two-digit number
28 prefix indicating the position, in which the rules are scanned by
29 the daemon.
30
31 ImplicitPolicyTarget=target
32 How to treat USB devices that don’t match any rule in the policy.
33 Target should be one of allow, block or reject (logically remove
34 the device node from the system). Default: block
35
36 PresentDevicePolicy=policy
37 How to treat USB devices that are already connected when the daemon
38 starts. Policy should be one of allow, block, reject, keep (keep
39 whatever state the device is currently in) or apply-policy
40 (evaluate the rule set for every present device). Default:
41 apply-policy
42
43 PresentControllerPolicy=policy
44 How to treat USB controller devices that are already connected when
45 the daemon starts. One of allow, block, reject, keep or
46 apply-policy. Default: keep
47
48 InsertedDevicePolicy=policy
49 How to treat USB devices that are already connected after the
50 daemon starts. One of block, reject, apply-policy. Default:
51 apply-policy
52
53 AuthorizedDefault=authorizedDefault
54 The USBGuard daemon modifies some of the default authorization
55 state attributes of controller devices. This setting, enables you
56 to define what value the default authorization is set to.
57 Authorized default should be one of keep (do not change
58 authorization state), none (every new device starts out
59 deauthorized), all (every new device starts out authorized) or
60 internal (internal devices start out authorized, external do not).
61 Default: none
62
63 RestoreControllerDeviceState=boolean
64 The USBGuard daemon modifies some attributes of controller devices
65 like the default authorization state of new child device instances.
66 Using this setting, you can control whether the daemon will try to
67 restore the attribute values to the state before modification on
68 shutdown. Default: false
69
70 DeviceManagerBackend=backend
71 Which device manager backend implementation to use. Backend should
72 be one of uevent (default) or umockdev (useful for testing). UEvent
73 backend is a netlink based implementation which uses sysfs to scan
74 for present devices and an uevent socket for receiving USB device
75 related events. UMockDev based device manager is capable of
76 simulating devices based on umockdev-record files. Default: uevent
77
78 IPCAllowedUsers=username [username ...]
79 A space delimited list of usernames that the daemon will accept IPC
80 connections from. Default: root
81
82 IPCAllowedGroups=groupname [groupname ...]
83 A space delimited list of groupnames that the daemon will accept
84 IPC connections from.
85
86 IPCAccessControlFiles=path
87 The files at this location will be interpreted by the daemon as IPC
88 access control definition files. See the IPC ACCESS CONTROL section
89 for more details.
90
91 DeviceRulesWithPort=boolean
92 Generate device specific rules including the "via-port" attribute.
93 Default: false
94
95 AuditBackend=backend
96 USBGuard audit events log backend. The backend value should be one
97 of FileAudit or LinuxAudit. Default: FileAudit
98
99 AuditFilePath=filepath
100 USBGuard audit events log file path. Required if AuditBackend is
101 set to FileAudit. Default:
102 %localstatedir%/log/usbguard/usbguard-audit.log
103
104 HidePII=boolean
105 Hides personally identifiable information such as device serial
106 numbers and hashes of descriptors (which include the serial number)
107 from audit entries. Default: false
108
110 IPC
111 The daemon provides the USBGuard public IPC interface. Depending on
112 your distribution defaults, access to this interface is limited to a
113 certain group or a specific user only. Please set either the
114 IPCAllowedUsers, IPCAllowedGroups or IPCAccessControlFiles options to
115 limit access to the IPC interface. Do not leave the ACL unconfigured as
116 that will expose the IPC interface to all local users and will allow
117 them to manipulate the authorization state of USB devices and modify
118 the USBGuard policy.
119
120 RestoreControllerDeviceState configuration option
121 If set to true, the USB authorization policy could be bypassed by
122 performing some sort of attack on the daemon (via a local exploit or
123 via a USB device) to make it shutdown and restore to the
124 operating-system default state (known to be permissive).
125
127 Access to the USBGuard IPC interface can be limited per user or group.
128 Furthermore, by using the IPC Access Control files, it is possible to
129 limit the access down to the level of Sections and Privileges as
130 explained below.
131
132 Recommended: IPCAccessControlFiles
133 When you set IPCAccessControlFiles option, the daemon will look for IPC
134 access control files in the directory specified by the set value. Each
135 file in the directory is processed as follows:
136
137 1. The basename of the file is interpreted as a username, UID,
138 groupname or GID. If the name starts with : (colon), it is assumed
139 that the rest of the name represents a group identifier (groupname
140 or GID in case of a numeric-only string). Otherwise, it is
141 interpreted as a user identifier (username or UID in case of
142 numeric-only string).
143
144 2. The contents of the file are parsed as
145 Section=[privilege1][,privilege2] ... formatted lines which
146 specify the section privileges. If a section is omitted, it is
147 assumed that no privileges are given for that section.
148
149 Available sections and privileges:
150
151 · Devices
152
153 · modify: Change authorization state of devices including
154 permanent changes (i.e. modification of device specific rules
155 in the policy).
156
157 · list: Ability to get a list of recognized devices and their
158 attributes.
159
160 · listen: Listen to device presence and device policy changes.
161
162 · Policy
163
164 · modify: Append rules to or remove any rules from the policy.
165
166 · list: Ability to view the currently enforced policy.
167
168 · Exceptions
169
170 · listen: Receive exception messages.
171
172 · Parameters
173
174 · modify: Set values of run-time parameters.
175
176 · list: Get values of run-time parameters.
177
178 The following is a generally usable and reasonably safe example of an
179 access control file. It allows one to modify USB device authorization
180 state (Devices=modify), list USB devices (Devices=list), listen to USB
181 device related events (Devices=listen), list USB authorization policy
182 rules (Policy=list) and listen to exception events (Exceptions=listen):
183
184 Devices=modify,list,listen
185 Policy=list
186 Exceptions=listen
187
188 You can create or remove the IPC access control files using usbguard
189 add-user and usbguard remove-user CLI commands. See usbguard(1) for
190 more details. If you want to create the IPC access control files
191 manually, you need to set the files permissions to 0600.
192
193 Legacy: IPCAllowedUsers and IPCAllowedGroups
194 Example configuration allowing full IPC access to users root, joe and
195 members of the group wheel:
196
197 IPCAllowedUsers=root joe
198 IPCAllowedGroups=wheel
199
201 usbguard-daemon(8), usbguard-rules.conf(5)
202
203
204
205 01/14/2021 USBGUARD-DAEMON.C(5)