USBGuard - what should we allow or disallow by default?

desi_fubu · August 29, 2025, 4:50am

Fair and good points I still think external USB webcams should be rejected but you know that’s just like my opinion man

it might be possible to mitigate this risk such that we can allow USB Ethernet by default.

I’d be in in favor for this preferably, could a rule to block like @NTH9R6 stated work?

arraybolt3 · August 29, 2025, 4:53am

It would be nice to enable USB Ethernet that doesn’t use RNDIS… but looking at Defined Class Codes | USB-IF I don’t immediately see anything about USB and Ethernet that isn’t RNDIS, so I’m not sure an interface rule (like the rules we’ve been using) will work. More investigation is needed there, if it turns out to be possible I’ll try to enable it.

desi_fubu · August 29, 2025, 4:56am

I’m fully aware of the threat posed by the Equation APT actor.

Apologies for the scattered remarks about mixing up internal versus external webcams while referencing Keytap 2.

The more I read this thread, the greater the impact on my tranquil mindset of each presumed certainty only reveals further unknowns of what I thought I knew.

desi_fubu · August 29, 2025, 5:01am

How about something along the lines like this?

# --------------------------------------------------------------
# Block USB video devices (webcams)
#   USB‑Video Class = 0x0E (class) – any subclass / protocol
# --------------------------------------------------------------
reject with-interface equals { 0e:*:* }

# --------------------------------------------------------------
# Block stand‑alone microphones 
#   Audio class = 0x01, subclass = 0x02 (Audio Streaming)
#   (Headsets usually also expose a HID interface)
# --------------------------------------------------------------
#reject with-interface equals { 01:02:* }

# --------------------------------------------------------------
# Block all USB printers (Printers and Scanners)
#   Printer class = (class 0x07)
# --------------------------------------------------------------
#reject with-interface equals { 07:*:* }

# --------------------------------------------------------------
# Block pure MIDI devices
#   Audio class = 0x01, subclass = 0x03 (MIDI Streaming)
# --------------------------------------------------------------
#reject with-interface equals { 01:03:* }

# --------------------------------------------------------------
# Block Bluetooth dongles (Wireless Controller)
#   Wireless Controller class = 0xE0
# --------------------------------------------------------------
#reject with-interface equals { e0:*:* }

Edit: I’m getting confused operators and attributes here for the rules?

desi_fubu · August 29, 2025, 5:02am

Doesn’t with‑interface expect an attribute name aka interface-type or subclass or else the parser will reject it?

Patrick · August 30, 2025, 12:03pm

2 files. Review welcome.

github.com/Kicksecure/security-misc

etc/usbguard/usbguard-daemon.conf.security-misc

master

#
# Rule set file path.
#
# The USBGuard daemon will use this file to load the policy
# rule set from it and to write new rules received via the
# IPC interface.
#
# RuleFile=/path/to/rules.conf
#
RuleFile=/etc/usbguard/rules.conf

#
# Rule set folder path.
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface. Usually, we set the option to
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
# behave like any other standard Linux daemon therefore it
# loads rule files in alpha-numeric order. File names inside

This file has been truncated. show original

github.com/Kicksecure/security-misc

etc/usbguard/rules.d/30_security-misc.conf

master

## We allow devices that were plugged in before the daemon starts. Everything
## is blocked as the default. Following rules apply on top of this.

## Explicitly reject any interface that is not documented and/or defined by
## USB.org.
## Note: Most probably superfluous.
reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* }

## Allow all mouses and keyboards, in a sense, so the user can conveniently
## change them without restrating the daemon.

## Allow only one keyboard to be connected
allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })
## Allow only one mouse to be connected
allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 })
## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID
## devices that do not support a "boot interface". **These are blocked
## entirely.** It is very likely that this will cause issues with some mice
## and keyboards. Also note, all HID devices other than mice and keyboards
## will be blocked, **including touchscreens.**

This file has been truncated. show original

Quiksilver · August 30, 2025, 6:57pm

I’m glad something like USBGuard exists I’m going to test different USB adapters to see if I discover conflicts.

Does USBGuard sent desktop notifications in Xfce for events, I know it does have integration with GNOME?

arraybolt3 · August 31, 2025, 2:21am

At least right now USBGuard does not display desktop notifications. There’s a utility for that in the Debian repos (usbguard-notifier) but it’s not been integrated yet. Might be worth doing?

Patrick · August 31, 2025, 7:56am

Yes, If it works, probably highly useful.

sam · September 5, 2025, 3:29pm

Yes. It would be perfect and would solve all the problems

MetalMoxie · September 6, 2025, 6:50am

4 those that cant wait this guide is good

http://opbible7nans45sg33cbyeiwqmlp5fu7lklu6jd6f3mivrjeqadco5yd.onion/opsec/usbdeadmansswitch/

http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/FVwe4

https://archive.ph/FVwe4

0x506c61746f · September 7, 2025, 7:36pm

My Alfa wireless USB WiFi adapter is blocked after I plug it in.

This is the output of my Alfa wireless adapter for lsusb: ID 0e8d:7612
Could you add a rule that allows WiFi protocals?

0x506c61746f · September 7, 2025, 7:36pm

There is seven 0x04 – 0x0A protocals for RNDIS the rule looks like it only is RNDIS over Ethernet?

reject with-interface one-of { ef:05:* }  # RNDIS over Wi‑Fi
reject with-interface one-of { ef:06:* }  # RNDIS over WiMAX
reject with-interface one-of { ef:07:* }  # RNDIS over WWAN
reject with-interface one-of { ef:08:* }  # RNDIS for Raw IPv4
reject with-interface one-of { ef:09:* }  # RNDIS for Raw IPv6
reject with-interface one-of { ef:0a:* }  # RNDIS for GPRS

NTH9R6 · September 8, 2025, 3:35am

The other day I did a dist-upgrade on a distro morph and /etc/usbguard/rules.d/30_security-misc.conf does not exist? Neither were usbguard or usbguard-notifier packages added after the upgrade.

user@host:~$ ls /etc/usbguard/rules.d/
user@host:~$

I had to install those two and add 30_security-misc.conf manually with 0600 permissions and it worked.

NTH9R6 · September 8, 2025, 3:39am

Yes the debian wiki suggests installing usbguard alongside GUI notifier usbguard-notifier

arraybolt3 · September 8, 2025, 5:31am

Quoting the initial post:

Kicksecure 18 has not yet been released. The current released version of Kicksecure is Kicksecure 17. We’re discussing what to do for the next major release.

NTH9R6 · September 9, 2025, 7:46pm

Thanks, I’ll continue to test some things manually. Sorry I missed that part about the version.

Is there anything in the daemon config that adjusts how early in the boot process USBGuard is loaded?

Reason I’m curious being that I noticed that I was able to plug in a non storage device after login screen before the desktop screen was loaded?
I’ll test it again it could just be something else with my system specific to my morph.

NTH9R6 · September 9, 2025, 7:59pm

That is what it should do unless you have the USB adapter plugged in before starting up your computer it should be allowed.
Are you testing the config file manually aswell?

What does this command show?

lsusb -v | awk '/0002:0002/ {found=1} found && /bInterfaceClass/ {print; exit}'

replace /0002:0002/ with the device ID that lsusb shows for the device ID in your case it would be /0e8d:7612/

NTH9R6 · September 9, 2025, 8:08pm

For the record my Samsung SSD drive that I have been testing around a distro morph on shows that it indeed shows it as class 8 aka mass storage so there should be no issue with the current rule since its booting the system of an external SSD drive.

user@host:~$ lsusb -v | awk '/04e8:0002/ {found=1} found && /bInterfaceClass/ {print; exit}'
      bInterfaceClass         8 Mass Storage
user@host:~$

That means there shouldn’t be any issues with USBGuard an users that choose to install and boot from an external media as such (external SSD/HDD drives etc).

1. Being the current rule allows for USB’s to be allowed that are plugged in before the daemon is loaded (before the computer boots up).

2. External SSD/HDD drives should come up as class 8 Mass Storage which us allow by the policy rule set.

NTH9R6 · September 9, 2025, 8:23pm

To get the output of Base Class bInterfaceClass, SubClass bInterfaceSubClass, and Protocol bInterfaceProtocol you can try pasting this command if it matters:

lsusb -v | awk '/0002:0002/ {found=1} found && /bInterface/ && !/bInterfaceNumber/ {print; if (/bInterfaceProtocol/) exit}'