If you want to compile the sources from a release tarball, you’ll have to install development files for:

  • libqb - used for IPC
  • libsodium - used for hashing
  • systemd-devel - used for udev

Optionally, you may want to install:

  • libseccomp - used to implement a syscall whitelist
  • libcap-ng - used to drop process capabalities

And then do:

$ ./configure
$ make
$ sudo make install

After the sources are successfully built, you can run the testsuite by executing:

$ make check

If you want to compile the sources in a cloned repository, there are additional step required:

$ git submodule init
$ git submodule update

This will fetch the sources of json, spdlog and Catch which are used in this project too.

And to generate the configure script, run:

$ ./autogen.sh

If you want to modify the lexer and/or the parser, you’ll have to generate new source files for them. To learn how to do that, read src/Library/RuleParser/README.md.

OS packages

Fedora Linux, RHEL or CentOS

Pre-compiled packages for Fedora 21, 22, 23, rawhide and EPEL 7 (RHEL, CentOS) are distributes using a Copr repository. You can install the repository by executing the following steps:

$ sudo yum install yum-plugin-copr
$ sudo yum copr enable mildew/usbguard
$ sudo yum install usbguard
$ sudo yum install usbguard-applet-qt


For Gentoo you can use the stuge overlay via layman:

$ layman -a das-labor
$ emerge -av usbguard


WARNING: before you start using usbguard be sure to configure it first unless you know exactly what you are doing (all USB devices will get blocked). For more information on how to configure usbguard see configuration and rule language.

To actually start the daemon, use:

$ sudo systemctl start usbguard.service

You can interact with the daemon using either the CLI (see usbguard(1)) or the GUI Qt applet, which will also notify you about device events and ask for authorization of devices that don’t match any rule in the policy. To start the applet, use the following command:

$ usbguard-applet-qt