You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
173 lines
4.8 KiB
173 lines
4.8 KiB
# |
|
# Rule set file path. |
|
# |
|
# The USBGuard daemon will use this file to load the policy |
|
# rule set from it and to write new rules received via the |
|
# IPC interface. |
|
# |
|
# RuleFile=/path/to/rules.conf |
|
# |
|
RuleFile=/etc/usbguard/rules.conf |
|
|
|
# |
|
# Implicit policy target. |
|
# |
|
# How to treat devices that don't match any rule in the |
|
# policy. One of: |
|
# |
|
# * allow - authorize the device |
|
# * block - block the device |
|
# * reject - remove the device |
|
# |
|
ImplicitPolicyTarget=block |
|
|
|
# |
|
# Present device policy. |
|
# |
|
# How to treat devices that are already connected when the |
|
# daemon starts. One of: |
|
# |
|
# * allow - authorize every present device |
|
# * block - deauthorize every present device |
|
# * reject - remove every present device |
|
# * keep - just sync the internal state and leave it |
|
# * apply-policy - evaluate the ruleset for every present |
|
# device |
|
# |
|
PresentDevicePolicy=apply-policy |
|
|
|
# |
|
# Present controller policy. |
|
# |
|
# How to treat USB controllers that are already connected |
|
# when the daemon starts. One of: |
|
# |
|
# * allow - authorize every present device |
|
# * block - deauthorize every present device |
|
# * reject - remove every present device |
|
# * keep - just sync the internal state and leave it |
|
# * apply-policy - evaluate the ruleset for every present |
|
# device |
|
# |
|
PresentControllerPolicy=keep |
|
|
|
# |
|
# Inserted device policy. |
|
# |
|
# How to treat USB devices that are already connected |
|
# *after* the daemon starts. One of: |
|
# |
|
# * block - deauthorize every present device |
|
# * reject - remove every present device |
|
# * apply-policy - evaluate the ruleset for every present |
|
# device |
|
# |
|
InsertedDevicePolicy=apply-policy |
|
|
|
# |
|
# Restore controller device state. |
|
# |
|
# The USBGuard daemon modifies some attributes of controller |
|
# devices like the default authorization state of new child device |
|
# instances. Using this setting, you can controll whether the |
|
# daemon will try to restore the attribute values to the state |
|
# before modificaton on shutdown. |
|
# |
|
# SECURITY CONSIDERATIONS: If set to true, the USB authorization |
|
# policy could be bypassed by performing some sort of attack on the |
|
# daemon (via a local exploit or via a USB device) to make it shutdown |
|
# and restore to the operating-system default state (known to be permissive). |
|
# |
|
RestoreControllerDeviceState=false |
|
|
|
# |
|
# Device manager backend |
|
# |
|
# Which device manager backend implementation to use. One of: |
|
# |
|
# * uevent - Netlink based implementation which uses sysfs to scan for present |
|
# devices and an uevent netlink socket for receiving USB device |
|
# related events. |
|
# * dummy - A dummy device manager which simulates several devices and device |
|
# events. Useful for testing. |
|
# |
|
DeviceManagerBackend=uevent |
|
|
|
#!!! WARNING: It's good practice to set at least one of the !!! |
|
#!!! two options bellow. If none of them are set, !!! |
|
#!!! the daemon will accept IPC connections from !!! |
|
#!!! anyone, thus allowing anyone to modify the !!! |
|
#!!! rule set and (de)authorize USB devices. !!! |
|
|
|
# |
|
# Users allowed to use the IPC interface. |
|
# |
|
# A space delimited list of usernames that the daemon will |
|
# accept IPC connections from. |
|
# |
|
# IPCAllowedUsers=username1 username2 ... |
|
# |
|
IPCAllowedUsers=root |
|
|
|
# |
|
# Groups allowed to use the IPC interface. |
|
# |
|
# A space delimited list of groupnames that the daemon will |
|
# accept IPC connections from. |
|
# |
|
# IPCAllowedGroups=groupname1 groupname2 ... |
|
# |
|
IPCAllowedGroups= |
|
|
|
# |
|
# IPC access control definition files path. |
|
# |
|
# The files at this location will be interpreted by the daemon |
|
# as access control definition files. The (base)name of a file |
|
# should be in the form: |
|
# |
|
# [user][:<group>] |
|
# |
|
# and should contain lines in the form: |
|
# |
|
# <section>=[privilege] ... |
|
# |
|
# This way each file defines who is able to connect to the IPC |
|
# bus and what privileges he has. |
|
# |
|
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ |
|
|
|
# |
|
# Generate device specific rules including the "via-port" |
|
# attribute. |
|
# |
|
# This option modifies the behavior of the allowDevice |
|
# action. When instructed to generate a permanent rule, |
|
# the action can generate a port specific rule. Because |
|
# some systems have unstable port numbering, the generated |
|
# rule might not match the device after rebooting the system. |
|
# |
|
# If set to false, the generated rule will still contain |
|
# the "parent-hash" attribute which also defines an association |
|
# to the parent device. See usbguard-rules.conf(5) for more |
|
# details. |
|
# |
|
DeviceRulesWithPort=false |
|
|
|
# |
|
# USBGuard Audit events log backend |
|
# |
|
# One of: |
|
# |
|
# * FileAudit - Log audit events into a file specified by |
|
# AuditFilePath setting (see below) |
|
# * LinuxAudit - Log audit events using the Linux Audit |
|
# subsystem (using audit_log_user_message) |
|
# |
|
AuditBackend=FileAudit |
|
|
|
# |
|
# USBGuard audit events log file path. |
|
# |
|
AuditFilePath=/var/log/usbguard/usbguard-audit.log |
|
|
|
|