Enabling USBGuard by default

usbguard is a really nice tool, that allows to control access to USB media.

With rubber duckies and many more stuff from Hak5 clearly presenting that this is easy to exploit and really dangerous, and macOS (And GrapheneOS, kinda) having such a system enabled by default, I think we should enable and setup usbguard in all Fedora Desktop variants too.

It just requires 3 packages for a good UX: usbguard usbguard-selinux usbguard-notifier

The latter shows popup notifications on events, and also allows temporarily allowing or rejecting USB devices. It poorly has no option to hide unneeded messages, and permanently set behaviors.

Setting it up can be done automatically and graphically. Here is an implementation using kdialog for KDE Plasma, Zenity on GNOME would be the obvious equivalent.

USBGuard has quite some hoops to jump through

  • we need official Fedora docs on it, also with a clearer way for the end user, how to set it up, list devices, allow devices, block devices. Thats it, more is mostly not needed
  • things like webcams and other internal USB devices may be blocked, these need to be allowed through CLI
  • permanently allowing requires CLI
  • phones have multiple modes, MTP is broken when only temporary allowing is used, it needs to be permanently allowed (CLI) for each mode
2 Likes

Nice, I did not know usbguard has also per-user and per-port rules. I was using 2 or 3 cli commands. But even if usbguard is running it does not protect against malicious usb with modified firmware. You would have to trust that usb or make sure it is delivered sealed. I would also be sure to enable password and disable usb boot in my uefi/bios.

In sensitive areas/data-centers solutions like usbguard are definetely useful, but whether the distribution must enable it by default, I don’t know, like always this and security aspects are debatable.

1 Like

Ticket

5 Likes

We’ve decided to reject usbguard for the time being, but we can revisit in the future once firmware update problems are resolved.

1 Like