1USBGUARD-DAEMON.C(5)                                      USBGUARD-DAEMON.C(5)
2
3
4

NAME

6       usbguard-daemon.conf - USBGuard daemon configuration file
7

DESCRIPTION

9       The usbguard-daemon.conf file is loaded by the USBGuard daemon after it
10       parses its command-line options. It is used to configure runtime
11       parameters of the daemon. The default search path is
12       /etc/usbguard/usbguard-daemon.conf. It may be overridden using the -c
13       command-line option, see usbguard-daemon(8) for further details.
14

OPTIONS

16       RuleFile=path
17           The USBGuard daemon will use this file to load the policy rule set
18           from it and to write new rules received via the IPC interface.
19           Default: %sysconfdir%/usbguard/rules.conf
20
21       RuleFolder=path
22           The USBGuard daemon will use this folder to load the policy rule
23           set from it and to write new rules received via the IPC interface.
24           Usually, we set the option to /etc/usbguard/rules.d/. The USBGuard
25           daemon is supposed to behave like any other standard Linux daemon
26           therefore it loads rule files in alpha-numeric order. File names
27           inside RuleFolder directory should start with a two-digit number
28           prefix indicating the position, in which the rules are scanned by
29           the daemon.
30
31       ImplicitPolicyTarget=target
32           How to treat USB devices that don’t match any rule in the policy.
33           Target should be one of allow, block or reject (logically remove
34           the device node from the system). Default: block
35
36       PresentDevicePolicy=policy
37           How to treat USB devices that are already connected when the daemon
38           starts. Policy should be one of allow, block, reject, keep (keep
39           whatever state the device is currently in) or apply-policy
40           (evaluate the rule set for every present device). Default:
41           apply-policy
42
43       PresentControllerPolicy=policy
44           How to treat USB controller devices that are already connected when
45           the daemon starts. One of allow, block, reject, keep or
46           apply-policy. Default: keep
47
48       InsertedDevicePolicy=policy
49           How to treat USB devices that are already connected after the
50           daemon starts. One of block, reject, apply-policy. Default:
51           apply-policy
52
53       AuthorizedDefault=authorizedDefault
54           The USBGuard daemon modifies some of the default authorization
55           state attributes of controller devices. This setting, enables you
56           to define what value the default authorization is set to.
57           Authorized default should be one of keep (do not change
58           authorization state), none (every new device starts out
59           deauthorized), all (every new device starts out authorized) or
60           internal (internal devices start out authorized, external do not).
61           Default: none
62
63       RestoreControllerDeviceState=boolean
64           The USBGuard daemon modifies some attributes of controller devices
65           like the default authorization state of new child device instances.
66           Using this setting, you can control whether the daemon will try to
67           restore the attribute values to the state before modification on
68           shutdown. Default: false
69
70       DeviceManagerBackend=backend
71           Which device manager backend implementation to use. Backend should
72           be one of uevent (default) or umockdev (useful for testing). UEvent
73           backend is a netlink based implementation which uses sysfs to scan
74           for present devices and an uevent socket for receiving USB device
75           related events. UMockDev based device manager is capable of
76           simulating devices based on umockdev-record files. Default: uevent
77
78       IPCAllowedUsers=username [username ...]
79           A space delimited list of usernames that the daemon will accept IPC
80           connections from. Default: root
81
82       IPCAllowedGroups=groupname [groupname ...]
83           A space delimited list of groupnames that the daemon will accept
84           IPC connections from.
85
86       IPCAccessControlFiles=path
87           The files at this location will be interpreted by the daemon as IPC
88           access control definition files. See the IPC ACCESS CONTROL section
89           for more details.
90
91       DeviceRulesWithPort=boolean
92           Generate device specific rules including the "via-port" attribute.
93           Default: false
94
95       AuditBackend=backend
96           USBGuard audit events log backend. The backend value should be one
97           of FileAudit or LinuxAudit. Default: FileAudit
98
99       AuditFilePath=filepath
100           USBGuard audit events log file path. Required if AuditBackend is
101           set to FileAudit. Default:
102           %localstatedir%/log/usbguard/usbguard-audit.log
103
104       HidePII=boolean
105           Hides personally identifiable information such as device serial
106           numbers and hashes of descriptors (which include the serial number)
107           from audit entries. Default: false
108

SECURITY CONSIDERATIONS

110   IPC
111       The daemon provides the USBGuard public IPC interface. Depending on
112       your distribution defaults, access to this interface is limited to a
113       certain group or a specific user only. Please set either the
114       IPCAllowedUsers, IPCAllowedGroups or IPCAccessControlFiles options to
115       limit access to the IPC interface. Do not leave the ACL unconfigured as
116       that will expose the IPC interface to all local users and will allow
117       them to manipulate the authorization state of USB devices and modify
118       the USBGuard policy.
119
120   RestoreControllerDeviceState configuration option
121       If set to true, the USB authorization policy could be bypassed by
122       performing some sort of attack on the daemon (via a local exploit or
123       via a USB device) to make it shutdown and restore to the
124       operating-system default state (known to be permissive).
125

IPC ACCESS CONTROL

127       Access to the USBGuard IPC interface can be limited per user or group.
128       Furthermore, by using the IPC Access Control files, it is possible to
129       limit the access down to the level of Sections and Privileges as
130       explained below.
131
132   Recommended: IPCAccessControlFiles
133       When you set IPCAccessControlFiles option, the daemon will look for IPC
134       access control files in the directory specified by the set value. Each
135       file in the directory is processed as follows:
136
137        1. The basename of the file is interpreted as a username, UID,
138           groupname or GID. If the name starts with : (colon), it is assumed
139           that the rest of the name represents a group identifier (groupname
140           or GID in case of a numeric-only string). Otherwise, it is
141           interpreted as a user identifier (username or UID in case of
142           numeric-only string).
143
144        2. The contents of the file are parsed as
145           Section=[privilege1][,privilege2] ...  formatted lines which
146           specify the section privileges. If a section is omitted, it is
147           assumed that no privileges are given for that section.
148
149       Available sections and privileges:
150
151Devices
152
153           •   modify: Change authorization state of devices including
154               permanent changes (i.e. modification of device specific rules
155               in the policy).
156
157           •   list: Ability to get a list of recognized devices and their
158               attributes.
159
160           •   listen: Listen to device presence and device policy changes.
161
162Policy
163
164           •   modify: Append rules to or remove any rules from the policy.
165
166           •   list: Ability to view the currently enforced policy.
167
168Exceptions
169
170           •   listen: Receive exception messages.
171
172Parameters
173
174           •   modify: Set values of run-time parameters.
175
176           •   list: Get values of run-time parameters.
177
178       The following is a generally usable and reasonably safe example of an
179       access control file. It allows one to modify USB device authorization
180       state (Devices=modify), list USB devices (Devices=list), listen to USB
181       device related events (Devices=listen), list USB authorization policy
182       rules (Policy=list) and listen to exception events (Exceptions=listen):
183
184           Devices=modify,list,listen
185           Policy=list
186           Exceptions=listen
187
188       You can create or remove the IPC access control files using usbguard
189       add-user and usbguard remove-user CLI commands. See usbguard(1) for
190       more details. If you want to create the IPC access control files
191       manually, you need to set the files permissions to 0600.
192
193   Legacy: IPCAllowedUsers and IPCAllowedGroups
194       Example configuration allowing full IPC access to users root, joe and
195       members of the group wheel:
196
197           IPCAllowedUsers=root joe
198           IPCAllowedGroups=wheel
199

SEE ALSO

201       usbguard-daemon(8), usbguard-rules.conf(5)
202
203
204
205                                  07/23/2021              USBGUARD-DAEMON.C(5)
Impressum