USBGuard is a tool that uses a kernel feature to block unknown USB devices. It allows to register devices as trusted temporarily ot permanently.
Once setup, it is not hard to use, and I will show you how to do this.
This is crucial to protect against fake input devices (like rubber duckies), thunderbolt attacks, keystroke loggers and more.
Install USBGuard
Traditional Fedora:
run0 dnf install -y usbguard usbguard-selinux usbguard-notifier && reboot
Atomic Desktops:
rpm-ostree install usbguard usbguard-selinux usbguard-notifier --reboot
Initial setup
Plug in all devices you commonly use, at least mouse and keyboard.
This script will permanently allow those devices, preventing you from locking yourself out.
It is easy to add additional ones afterwards.
#!/usr/bin/bash
run0 sh -c '
mkdir --parents --mode=755 --context=system_u:object_r:usbguard_conf_t:s0 /etc/usbguard
mkdir --parents --mode=755 --context=system_u:object_r:usbguard_log_t:s0 /var/log/usbguard
usbguard generate-policy > /etc/usbguard/rules.conf
sed -i "/IPCAllowedGroups=wheel/s/$/ usbguard/" /etc/usbguard/usbguard-daemon.conf
systemctl enable --now usbguard.service
usbguard add-user $1
' -- $USER
systemctl enable --user --now usbguard-notifier.service
Once setup, usbguard is enabled and the systemd service for the GUI utility usbguard-nofitifer us enabled.
Usage
If you plug in a new device, it will not be allowed. The notifier will display a message though, with a button to temporarily allow it.
To permanently allow a device, currently we need the terminal
usbguard list-devices | grep block
usbguard allow-device -p ID
The ID is always a number.
Troubleshooting
Android & MTP
Android devices appear differently per USB mode you use.
These modes define as what the PC will detect the phone, like
- charging only
- usb tethering
- file transfer (MTP)
- digital camera (transfer media only)
- webcam
- debugging
Allow every mode you use separately, by setting the device into it in the Android settings, and running the USBGuard command on your PC.
MTP (data transfer) will only work if you permanently allow the phone (when it is set to “file transfer” in the settings). Other modes work if you temporarily allow it.
Webcams and other internals
Many webcams use USB, but are never shown as a new device, and for some reason also not registerd in the initial script.
Just use the commands above to allow it permanently and it will work.
My webcam was really stuttery, this workaround solved it for me
usbguard set-parameter ImplicitPolicyTarget allow
usbguard set-parameter ImplicitPolicyTarget block
Firmware updates
See this thread about the mentionws problem
USB Devices like fido2 keys (yubikey, nitrokey, etc.) will enter a different mode when being updated. This mode will make the device appear like a different one.
Just permanently allow the device with the new ID and maybe retry the update, it will work.
This was tested with a Nitrokey 3 and the Nitrokey App2 (Flatpak).
Remove devices
It is best to trust as little devices as possible, as device IDs may be faked.
TODO