Skip to content

USBLockout monitors your user session and triggers Grsecurity Deny New USB feature.

License

Notifications You must be signed in to change notification settings

subgraph/usblockout

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Session USB Lockout

You're in a place that is relatively safe, say your local hackerspace. You need to leave your computer out of sight for a small amount of time, the space is safe enough that you are not worried about it being stolen, but not enough that someone couldn't attempt a quick drive-by USB attack.

This program provides a way to toggle Grsecurity Deny New USB feature with the state of a user session. That is, it will automatically enable the feature when the screen is locked or the session exits, and vice versa.

It consists of a privileged daemon that exposes itself on the dbus system bus; and a client daemon which runs in the user session via xdg-autostart, and relays the session screen-lock events on the system bus.

The client utility also allows the user to enable or disable the feature manually by calling:

usblockout --[enable|disable]

Caveats

Beware! If you use some sort of USB device (ex: a YubiKey) for PAM logins, login will be entirely broken! One workaround for this is to plug in the USB device at boot (before the daemon launches), or before switching to a different tty. Devices like smartcards, which have readers that are always plugged in, should work as expected.

This, of course only works if Grsecurity sysctl is enabled and not locked.

Building & Packaging

Provided in this repository is a debian branch which is used to build a deb package from git tags:

git checkout -b debian https://github.com/subgraph/usblockout.git
cd usblockout
gbp buildpackage -us -uc
dpkg -i /tmp/subgraph-usblockout_#VERSION#.deb

You will need to either log out and log back in, or launch usblockout (for example via alt-F2) after the install.

To run without without the xdg autostart and systemd service (when you are debugging or for development) you will want to run the daemon in one terminal with sudo ./usblockoutd --debug and the client in another with ./usblockout --debug.

About

USBLockout monitors your user session and triggers Grsecurity Deny New USB feature.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages