212 lines
6.3 KiB
Plaintext
212 lines
6.3 KiB
Plaintext
#
|
|
# Rule set file path.
|
|
#
|
|
# The USBGuard daemon will use this file to load the policy
|
|
# rule set from it and to write new rules received via the
|
|
# IPC interface.
|
|
#
|
|
# RuleFile=/path/to/rules.conf
|
|
#
|
|
RuleFile=/etc/usbguard/rules.conf
|
|
|
|
#
|
|
# Rule set folder path.
|
|
#
|
|
# The USBGuard daemon will use this folder to load the policy
|
|
# rule set from it and to write new rules received via the
|
|
# IPC interface. Usually, we set the option to
|
|
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
|
|
# behave like any other standard Linux daemon therefore it
|
|
# loads rule files in alpha-numeric order. File names inside
|
|
# RuleFolder directory should start with a two-digit number
|
|
# prefix indicating the position, in which the rules are
|
|
# scanned by the daemon.
|
|
#
|
|
# RuleFolder=/path/to/rulesfolder/
|
|
#
|
|
RuleFolder=/etc/usbguard/rules.d/
|
|
|
|
#
|
|
# Implicit policy target.
|
|
#
|
|
# How to treat devices that don't match any rule in the
|
|
# policy. One of:
|
|
#
|
|
# * allow - authorize the device
|
|
# * block - block the device
|
|
# * reject - remove the device
|
|
#
|
|
ImplicitPolicyTarget=block
|
|
|
|
#
|
|
# Present device policy.
|
|
#
|
|
# How to treat devices that are already connected when the
|
|
# daemon starts. One of:
|
|
#
|
|
# * allow - authorize every present device
|
|
# * block - deauthorize every present device
|
|
# * reject - remove every present device
|
|
# * keep - just sync the internal state and leave it
|
|
# * apply-policy - evaluate the ruleset for every present
|
|
# device
|
|
#
|
|
PresentDevicePolicy=apply-policy
|
|
|
|
#
|
|
# Present controller policy.
|
|
#
|
|
# How to treat USB controllers that are already connected
|
|
# when the daemon starts. One of:
|
|
#
|
|
# * allow - authorize every present device
|
|
# * block - deauthorize every present device
|
|
# * reject - remove every present device
|
|
# * keep - just sync the internal state and leave it
|
|
# * apply-policy - evaluate the ruleset for every present
|
|
# device
|
|
#
|
|
PresentControllerPolicy=keep
|
|
|
|
#
|
|
# Inserted device policy.
|
|
#
|
|
# How to treat USB devices that are already connected
|
|
# *after* the daemon starts. One of:
|
|
#
|
|
# * block - deauthorize every present device
|
|
# * reject - remove every present device
|
|
# * apply-policy - evaluate the ruleset for every present
|
|
# device
|
|
#
|
|
InsertedDevicePolicy=apply-policy
|
|
|
|
#
|
|
# Control which devices are authorized by default.
|
|
#
|
|
# The USBGuard daemon modifies some the default authorization state attributes
|
|
# of controller devices. This setting, enables you to define what value the
|
|
# default authorization is set to.
|
|
#
|
|
# * keep - do not change the authorization state
|
|
# * none - every new device starts out deauthorized
|
|
# * all - every new device starts out authorized
|
|
# * internal - internal devices start out authorized, external devices start
|
|
# out deauthorized (this requires the ACPI tables to properly
|
|
# label internal devices, and kernel support)
|
|
#
|
|
#AuthorizedDefault=none
|
|
|
|
#
|
|
# Restore controller device state.
|
|
#
|
|
# The USBGuard daemon modifies some attributes of controller
|
|
# devices like the default authorization state of new child device
|
|
# instances. Using this setting, you can control whether the
|
|
# daemon will try to restore the attribute values to the state
|
|
# before modification on shutdown.
|
|
#
|
|
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
|
|
# policy could be bypassed by performing some sort of attack on the
|
|
# daemon (via a local exploit or via a USB device) to make it shutdown
|
|
# and restore to the operating-system default state (known to be permissive).
|
|
#
|
|
RestoreControllerDeviceState=false
|
|
|
|
#
|
|
# Device manager backend
|
|
#
|
|
# Which device manager backend implementation to use. One of:
|
|
#
|
|
# * uevent - Netlink based implementation which uses sysfs to scan for present
|
|
# devices and an uevent netlink socket for receiving USB device
|
|
# related events.
|
|
# * umockdev - umockdev based device manager capable of simulating devices based
|
|
# on umockdev-record files. Useful for testing.
|
|
#
|
|
DeviceManagerBackend=uevent
|
|
|
|
#!!! WARNING: It's good practice to set at least one of the !!!
|
|
#!!! two options bellow. If none of them are set, !!!
|
|
#!!! the daemon will accept IPC connections from !!!
|
|
#!!! anyone, thus allowing anyone to modify the !!!
|
|
#!!! rule set and (de)authorize USB devices. !!!
|
|
|
|
#
|
|
# Users allowed to use the IPC interface.
|
|
#
|
|
# A space delimited list of usernames that the daemon will
|
|
# accept IPC connections from.
|
|
#
|
|
# IPCAllowedUsers=username1 username2 ...
|
|
#
|
|
IPCAllowedUsers=root
|
|
|
|
#
|
|
# Groups allowed to use the IPC interface.
|
|
#
|
|
# A space delimited list of groupnames that the daemon will
|
|
# accept IPC connections from.
|
|
#
|
|
# IPCAllowedGroups=groupname1 groupname2 ...
|
|
#
|
|
IPCAllowedGroups=wheel
|
|
|
|
#
|
|
# IPC access control definition files path.
|
|
#
|
|
# The files at this location will be interpreted by the daemon
|
|
# as access control definition files. The (base)name of a file
|
|
# should be in the form:
|
|
#
|
|
# [user][:<group>]
|
|
#
|
|
# and should contain lines in the form:
|
|
#
|
|
# <section>=[privilege] ...
|
|
#
|
|
# This way each file defines who is able to connect to the IPC
|
|
# bus and what privileges he has.
|
|
#
|
|
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
|
|
|
|
#
|
|
# Generate device specific rules including the "via-port"
|
|
# attribute.
|
|
#
|
|
# This option modifies the behavior of the allowDevice
|
|
# action. When instructed to generate a permanent rule,
|
|
# the action can generate a port specific rule. Because
|
|
# some systems have unstable port numbering, the generated
|
|
# rule might not match the device after rebooting the system.
|
|
#
|
|
# If set to false, the generated rule will still contain
|
|
# the "parent-hash" attribute which also defines an association
|
|
# to the parent device. See usbguard-rules.conf(5) for more
|
|
# details.
|
|
#
|
|
DeviceRulesWithPort=false
|
|
|
|
#
|
|
# USBGuard Audit events log backend
|
|
#
|
|
# One of:
|
|
#
|
|
# * FileAudit - Log audit events into a file specified by
|
|
# AuditFilePath setting (see below)
|
|
# * LinuxAudit - Log audit events using the Linux Audit
|
|
# subsystem (using audit_log_user_message)
|
|
#
|
|
AuditBackend=FileAudit
|
|
|
|
#
|
|
# USBGuard audit events log file path.
|
|
#
|
|
AuditFilePath=/var/log/usbguard/usbguard-audit.log
|
|
|
|
#
|
|
# Hides personally identifiable information such as device serial numbers and
|
|
# hashes of descriptors (which include the serial number) from audit entries.
|
|
#
|
|
#HidePII=false
|