New release: usbguard-0.4

I’m not dead yet. And the project is still alive too. It’s been a while since the last release, so it’s time to do another. The biggest improvements were made to the rule language by introducing the rule conditions and to the CLI by introducing a new command, usbguard, for interacting with a running USBGuard daemon instance and for generating initial policies.

Here’s an example of what you can do with the new rule conditions feature:

allow with-interface one-of { 03:00:01 03:01:01 } if !rule-applied

This one-liner in the policy will ensure that a USB keyboard will be authorized only once. If somebody connects another USB keyboard, it won’t be allowed. Of course, if you diconnect yours, then that one won’t be authorized either when connected again. Another, somewhat similar example is this:

allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })

That one will allow to connect a USB keyboard only if no other is currently connected. You can narrow down the match to a specific type, serial number, or whatever else that the rule language supports. Including other conditions.

Another feature that improves the usability of USBGuard is the new command-line interface which allows you, among other things, to generate initial policies for your system. To quicky generate a policy based on all the connected USB devices, run:

# usbguard generate-policy > rules.conf
# vi rules.conf
(review/modify the generated rule set)
# cp rules.conf /etc/usbguard/rules.conf
# chmod 0600 /etc/usbguard/rules.conf
# systemctl restart usbguard

There are some options to tweak the resulting policy. See the usbguard(1) manual page for further details.

And last but not least, thanks to Philipp Deppenwiese, USBGuard is now packaged for the Gentoo Linux distribition.

Major changes

WARNING: Backwards incompatible changes

Updating

If you are using Fedora or the USBGuard Copr repository, run:

$ sudo dnf update usbguard

Download

Tarballs can be downloaded here: