113 lines
3.0 KiB
Plaintext
113 lines
3.0 KiB
Plaintext
#
|
|
# Rule set file path.
|
|
#
|
|
# The USBGuard daemon will use this file to load the policy
|
|
# rule set from it and to write new rules received via the
|
|
# IPC interface.
|
|
#
|
|
# RuleFile=/path/to/rules.conf
|
|
#
|
|
RuleFile=/etc/usbguard/rules.conf
|
|
|
|
#
|
|
# Implicit policy target.
|
|
#
|
|
# How to treat devices that don't match any rule in the
|
|
# policy. One of:
|
|
#
|
|
# * allow - authorize the device
|
|
# * block - block the device
|
|
# * reject - remove the device
|
|
#
|
|
ImplicitPolicyTarget=block
|
|
|
|
#
|
|
# Present device policy.
|
|
#
|
|
# How to treat devices that are already connected when the
|
|
# daemon starts. One of:
|
|
#
|
|
# * allow - authorize every present device
|
|
# * block - deauthorize every present device
|
|
# * reject - remove every present device
|
|
# * keep - just sync the internal state and leave it
|
|
# * apply-policy - evaluate the ruleset for every present
|
|
# device
|
|
#
|
|
PresentDevicePolicy=apply-policy
|
|
|
|
#
|
|
# Present controller policy.
|
|
#
|
|
# How to treat USB controllers that are already connected
|
|
# when the daemon starts. One of:
|
|
#
|
|
# * allow - authorize every present device
|
|
# * block - deauthorize every present device
|
|
# * reject - remove every present device
|
|
# * keep - just sync the internal state and leave it
|
|
# * apply-policy - evaluate the ruleset for every present
|
|
# device
|
|
#
|
|
PresentControllerPolicy=keep
|
|
|
|
#!!! WARNING: It's good practice to set at least one of the !!!
|
|
#!!! two options bellow. If none of them are set, !!!
|
|
#!!! the daemon will accept IPC connections from !!!
|
|
#!!! anyone, thus allowing anyone to modify the !!!
|
|
#!!! rule set and (de)authorize USB devices. !!!
|
|
|
|
#
|
|
# Users allowed to use the IPC interface.
|
|
#
|
|
# A space delimited list of usernames that the daemon will
|
|
# accept IPC connections from.
|
|
#
|
|
# IPCAllowedUsers=username1 username2 ...
|
|
#
|
|
IPCAllowedUsers=root
|
|
|
|
#
|
|
# Groups allowed to use the IPC interface.
|
|
#
|
|
# A space delimited list of groupnames that the daemon will
|
|
# accept IPC connections from.
|
|
#
|
|
# IPCAllowedGroups=groupname1 groupname2 ...
|
|
#
|
|
IPCAllowedGroups=wheel
|
|
|
|
#
|
|
# Generate device specific rules including the "via-port"
|
|
# attribute.
|
|
#
|
|
# This option modifies the behavior of the allowDevice
|
|
# action. When instructed to generate a permanent rule,
|
|
# the action can generate a port specific rule. Because
|
|
# some systems have unstable port numbering, the generated
|
|
# rule might not match the device after rebooting the system.
|
|
#
|
|
# If set to false, the generated rule will still contain
|
|
# the "parent-hash" attribute which also defines an association
|
|
# to the parent device. See usbguard-rules.conf(5) for more
|
|
# details.
|
|
#
|
|
DeviceRulesWithPort=false
|
|
|
|
#
|
|
# USBGuard Audit events log backend
|
|
#
|
|
# One of:
|
|
#
|
|
# * FileAudit - Log audit events into a file specified by
|
|
# AuditFilePath setting (see below)
|
|
# * LinuxAudit - Log audit events using the Linux Audit
|
|
# subsystem (using audit_log_user_message)
|
|
#
|
|
AuditBackend=FileAudit
|
|
|
|
#
|
|
# USBGuard audit events log file path.
|
|
#
|
|
AuditFilePath=/var/log/usbguard/usbguard-audit.log
|