New release: usbguard-0.4
I’m not dead yet. And the project is still alive too. It’s been a while since the last release, so it’s time to do another. The biggest improvements were made to the rule language by introducing the rule conditions and to the CLI by introducing a new command, usbguard
, for interacting with a running USBGuard daemon instance and for generating initial policies.
Here’s an example of what you can do with the new rule conditions feature:
allow with-interface one-of { 03:00:01 03:01:01 } if !rule-applied
This one-liner in the policy will ensure that a USB keyboard will be authorized only once. If somebody connects another USB keyboard, it won’t be allowed. Of course, if you diconnect yours, then that one won’t be authorized either when connected again. Another, somewhat similar example is this:
allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })
That one will allow to connect a USB keyboard only if no other is currently connected. You can narrow down the match to a specific type, serial number, or whatever else that the rule language supports. Including other conditions.
Another feature that improves the usability of USBGuard is the new command-line interface which allows you, among other things, to generate initial policies for your system. To quicky generate a policy based on all the connected USB devices, run:
# usbguard generate-policy > rules.conf
# vi rules.conf
(review/modify the generated rule set)
# cp rules.conf /etc/usbguard/rules.conf
# chmod 0600 /etc/usbguard/rules.conf
# systemctl restart usbguard
There are some options to tweak the resulting policy. See the usbguard(1) manual page for further details.
And last but not least, thanks to Philipp Deppenwiese, USBGuard is now packaged for the Gentoo Linux distribition.
Major changes
- The daemon is now capable of dropping process capabilities and uses a seccomp based syscall whitelist. Options to enable these features were added to the usbguard-daemon command.
- Devices connected at the start of the daemon are now recognized and the DevicePresent signal is sent for each of them.
- New configuration options for setting the implicit policy target and how to handle the present devices are now available.
- String values read from the device are now properly escaped and length limits on these values are enforced.
- The library API was extended with the Device and DeviceManager classes.
- Implemented the usbguard CLI, see usbguard(1) for available commands.
- Initial authorization policies can be now easily generated using the
usbguard generate-policy
command. - Extended the rule language with rule conditions. See usbguard-rules.conf(5) for details.
- Moved logging code into the shared library. You can use static methods of the Logger class to configure logging behaviour.
- Removed the bundled libsodium and libqb libraries.
- Fixed several bugs.
- Resolved issues: #46, #45, #41, #40, #37, #32, #31, #28, #25, #24, #21, #16, #13, #9, #4
WARNING: Backwards incompatible changes
- The device hashing procedure was altered and generates different hash values. If you are using the hash attribute in your rules, you’ll have to update the values.
- The bundled libsodium and libqb were removed. You’ll have to compile and install them separately if your distribution doesn’t provide them as packages.
Updating
If you are using Fedora or the USBGuard Copr repository, run:
$ sudo dnf update usbguard
Download
Tarballs can be downloaded here: