-
Notifications
You must be signed in to change notification settings - Fork 2
/
usbguard-example.sh
executable file
·91 lines (72 loc) · 2.85 KB
/
usbguard-example.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/bash
TextReset='\033[0m'
TextGreen='\033[32m'
TextBlue='\033[34m'
TextLightGrey='\033[37m'
TextBold='\033[1m'
FormatTextPause="$TextReset $TextLightGrey" # Pause & continue
FormatTextCommands="$TextReset $TextGreen" # Commands to execute
FormatTextSyntax="$TextReset $TextBlue $TextBold" # Command Syntax & other text
# Place before command line to reset text format
FormatRunCommand="echo -e $TextReset"
# Reset text if script exits abnormally
trap 'echo -e $TextReset;exit' 1 2 3 15
clear
echo -e $FormatTextSyntax "
Example Configuration:
* Create a custom rule file
* Only allow mass storage devices, block everything else
* Only allow members of usbguard group to use USB devices
"
echo -e $FormatTextPause && read -p "<-- Press any key to continue -->" NULL
echo -e $FormatTextSyntax "
Step One: Create /root/new-rule.conf with this content which blocks any device that
is not just a mass storage device. Devices with a hidden keyboard interface
in a USB flash disk are blocked. Only devices with a single mass storage
interface are allowed to interact with the operating system.
"
echo -e $FormatTextCommands "
allow with-interface equals { 08:*:* }
"
echo -e $FormatTextPause && read -p "<-- Press any key to continue -->" NULL
$FormatRunCommand
echo -e "allow with-interface equals { 08:*:* }">/root/new-rule.conf
cat /root/new-rule.conf
echo -e $FormatTextPause && read -p "<-- Press any key to continue -->" NULL
echo -e $FormatTextSyntax "
Step Two: Allow users from the usbguard group to modify USB device authorization state,
list USB devices, listen to exception events, and list USB authorization policy.
"
echo -e $FormatTextCommands "
Modify /etc/usbguard/usbguard-daemon.conf, add group (usbguard in this example) to IPCAllowedGroups
IPCAllowedGroups=usbguard
"
echo -e $FormatTextPause && read -p "<-- Press any key to continue -->" NULL
$FormatRunCommand
groupadd usbguard
id usbuser
usermod -G usbguard usbuser
id usbuser
sed -i s/IPCAllowedGroups=$/IPCAllowedGroups=usbguard/ /etc/usbguard/usbguard-daemon.conf
echo -e $FormatTextSyntax "
Step Three: Install the new rules
"
echo -e $FormatTextCommands "
# usbguard generate-policy > /root/rules.conf
# cat /root/new-rule.conf >> /root/rules.conf
# install -m 0600 -o root -g root /root/rules.conf /etc/usbguard/rules.conf
# systemctl restart usbguard
"
echo -e $FormatTextPause && read -p "<-- Press any key to continue -->" NULL
$FormatRunCommand
usbguard generate-policy > /root/rules.conf
cat /root/new-rule.conf >> /root/rules.conf
install -m 0600 -o root -g root /root/rules.conf /etc/usbguard/rules.conf
systemctl restart usbguard
echo -e $FormatTextCommands "
View updated rules via:
# usbguard list-rules
"
echo -e $FormatTextPause && read -p "<-- Press any key to continue -->" NULL
$FormatRunCommand
usbguard list-rules