The manpage man usbguard-rules.conf lists more rules and documentation then the USBGuard Rule Language on their webpage.
usbguard-rules.conf(5) — usbguard — Debian bookworm — Debian Manpages
1 Like
Some devices other than storage devices are allowed by the configuration as detailed above. In particular, keyboards and mice can be attached if no other USB keyboard or mouse is attached yet. Additionally, camera and audio devices are now allowed.
vim /usr/lib/systemd/system/usbguard.service shows that USBGuard is WantedBy=basic.target, which means it starts pretty early in the boot process (after the core system is operational but before users can log in and a graphical session appears). It might not finish initializing by the time login prompts appear and a GUI works, but it starts early.
Good to know, thank you!
1 Like
usbguard-notifier will be installed by default in Kicksecure 18 and above.
1 Like
lol no disrespect but you can also do sudo usbguard list-devices -v
So much intriguing lore in this discussion.
Here is my 2cents, I think bluetooth USB class should either be rejected altogether or a commented out line that rejects them should be there for common ground like other of the lines in configs related to bluetooth. Since kicksecure doesn’t disable bluetooth altogether it does have lines that do if you need to.
The Wireless Controller base class 0xE0 defines a small set of standard subclasses. 0x01 appears to almost always be bluetooth and 0x02 for USB devices that implement a (IEEE 802.11) WiFi radio interface. How would go about rejecting the 0x01 subclass while allowing the 0x02 subclass without outright rejecting the whole wireless controller class 0xe0 