Hardening the Linux USB subsystem

August 4, 2023    Article    282 words    2 mins read

The USBGuard software framework helps to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing basic whitelisting and blacklisting capabilities based on device attributes. source

Basically, USBGuard prevents all unauthorized USB devices from connecting to your machine.

Start by installing it, if you’re running Ubuntu, Debian or other Debian-based distros:

$ sudo apt install usbguard

Or, if you’re running Fedora:

$ sudo dnf install usbguard

Make sure all USB devices that you want to be allowed by default to connect to your system are plugged in (don’t worry about the built-in USB devices, like your laptop webcam or Bluetooth module, they get whitelisted automatically), and generate the default policy:

$ sudo sh -c "usbguard generate-policy > /etc/usbguard/rules.conf"


A simpler sudo usbguard generate-policy > /etc/usbguard/rules.conf command won’t work (you will get a Permission denied error) simply because of the way redirection (>, >>, also piping with |) works in Linux: it’s done by the current shell and always performed as the current user regardless of the sudo part.
If your Linux distro has systemd, enable usbguard service on startup:
$ sudo systemctl start usbguard
$ sudo systemctl enable usbguard

Or, if your Linux distro uses System-V style init scripts (whoop whoop Devuan), use update-rc.d:

$ sudo update-rc.d usbguard defaults

Whenever you want to allow a new device, plug it into an USB port and use:

$ sudo usbguard list-devices
8: allow id ...
9: allow id ...
14: block id ...

to find the device rule number. Now you can allow this specific device to connect to your system temporarily:

$ sudo usbguard allow-device 14

Or if you want to allow it permanently:

$ sudo usbguard allow-device 14 -p