USBGuard is handy when your system is in an exposed environment. For instance, somebody could connect their USB drive with an unattended or public computer. One option is to remove or disable exposed USB ports physically. However, this solution becomes impractical if you need the USB ports for legitimate USB devices. USBGuard can be used to create an allowlist of authorized USB devices.
After installation, you must enable the USBGuard service. In your terminal, enter sudo systemctl start usbguard and sudo systemctl enable usbguard. By default, USBGuard allows all USB devices that are currently connected to your machine. The initial allowlist includes internal USB devices!
In your terminal, enter usbguard list-devices to see all USB devices that are connected to the system.
If you connect another USB device to the machine, USBGuard blocks it by default. Enter usbguard list-devices -b. USBGuard should list the blocked device. You can enter usbguard allow-device [id] to allow the device. Moreover, you can enter usbguard block-device [id] to block an authorized device on the allowlist.Follow us on Mastodon:@infosechandbook
USBGuard allows you to define rules specific to the USB ports of your machine. You can also set user- or group-specific rules. We may cover this in an upcoming article.
- USBGuardexternal link