是的
實施複雜的防火牆和其他網絡安全策略,以防止未經授權的網絡訪問用戶的台式計算機。但是,您需要阻止 USB 設備訪問。通過所需的實施,您可以配置 Linux 桌面安全策略,以保護您的計算機免受惡意 USB 設備(也稱為 BadUSB)的侵害。
給予許可
以及基於設備屬性的黑名單功能。例如,您可以定義授權哪些 USB 設備以及它們如何與您的 Linux 系統交互。例如,您可以定義一個策略,允許序列號為“XYZ”的 Yubikey 和序列號為“ABC”的 USB LTE 調製解調器。默認情況下拒絕所有其他 USB 設備訪問。
安裝 USBGuard 和其他實用程序
USBGuard 僅適用於 Linux。以下教程不適用於 *BSD 或 macOS 等其他操作系統。
根據您的 Linux 發行版,您應該按如下方式安裝 USBGuard:
Debian/Ubuntu 或 Linux Mint
在 Debian/Ubuntu 或 Linux mint 上使用 apt 或 apt-get 命令。$ sudo apt install usbguard usbutils udisks2
[sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done usbutils is already the newest version (1:012-2). udisks2 is already the newest version (2.8.4-1ubuntu2). The following packages were automatically installed and are no longer required: linux-headers-5.4.0-84 linux-headers-5.4.0-84-generic linux-image-5.4.0-84-generic linux-modules-5.4.0-84-generic linux-modules-extra-5.4.0-84-generic Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: libqb0 libumockdev0 libusbguard0 The following NEW packages will be installed: libqb0 libumockdev0 libusbguard0 usbguard 0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded. Need to get 580 kB of archives. After this operation, 2,131 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 https://archive.ubuntu.com/ubuntu focal/main amd64 libqb0 amd64 1.0.5-1 [63.9 kB] Get:2 https://archive.ubuntu.com/ubuntu focal-updates/universe amd64 libumockdev0 amd64 0.14.1-1ubuntu0.1 [34.2 kB] Get:3 https://archive.ubuntu.com/ubuntu focal/universe amd64 libusbguard0 amd64 0.7.6+ds-1build1 [350 kB] Get:4 https://archive.ubuntu.com/ubuntu focal/universe amd64 usbguard amd64 0.7.6+ds-1build1 [132 kB] Fetched 580 kB in 3s (229 kB/s) Selecting previously unselected package libqb0:amd64. (Reading database ... 419085 files and directories currently installed.) Preparing to unpack .../libqb0_1.0.5-1_amd64.deb ... Unpacking libqb0:amd64 (1.0.5-1) ... Selecting previously unselected package libumockdev0:amd64. Preparing to unpack .../libumockdev0_0.14.1-1ubuntu0.1_amd64.deb ... Unpacking libumockdev0:amd64 (0.14.1-1ubuntu0.1) ... Selecting previously unselected package libusbguard0. Preparing to unpack .../libusbguard0_0.7.6+ds-1build1_amd64.deb ... Unpacking libusbguard0 (0.7.6+ds-1build1) ... Selecting previously unselected package usbguard. Preparing to unpack .../usbguard_0.7.6+ds-1build1_amd64.deb ... Unpacking usbguard (0.7.6+ds-1build1) ... Setting up libqb0:amd64 (1.0.5-1) ... Setting up libumockdev0:amd64 (0.14.1-1ubuntu0.1) ... Setting up libusbguard0 (0.7.6+ds-1build1) ... Setting up usbguard (0.7.6+ds-1build1) ... Created symlink /etc/systemd/system/dbus-org.usbguard.service → /lib/systemd/system/usbguard-dbus.service. Created symlink /etc/systemd/system/multi-user.target.wants/usbguard-dbus.service → /lib/systemd/system/usbguard-dbus.service. Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /lib/systemd/system/usbguard.service. Processing triggers for systemd (245.4-4ubuntu3.13) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for dbus (1.12.16-2ubuntu2.1) ... Processing triggers for libc-bin (2.31-0ubuntu9.3) ...
Fedora 或 RHEL 和朋友
對於 FedoraRHEL 和克隆,使用 dnf 命令。$ sudo dnf install usbguard usbutils udisks2
SUSE/打開 SUSE Linux
對於 SUSE Enterprise Linux 或 OpenSUSE Linux 用戶,請嘗試以下 zypper 命令。$ sudo zypper in usbguard usbutils udisks2 usbguard-tools
Loading repository data... Reading installed packages... Resolving package dependencies... The following 5 NEW packages are going to be installed: udisks2 udisks2-lang usbguard usbguard-tools usbutils The following recommended package was automatically selected: udisks2-lang 5 new packages to install. Overall download size: 725.3 KiB. Already cached: 0 B. After the operation, additional 3.0 MiB will be used. Continue? [y/n/v/...? shows all options] (y): y Retrieving package udisks2-2.8.1-1.39.x86_64 (1/5), 261.9 KiB (929.5 KiB unpacked) Retrieving: udisks2-2.8.1-1.39.x86_64.rpm ..............................[done] Retrieving package usbguard-0.7.8-bp153.1.19.x86_64 (2/5), 122.1 KiB (314.0 KiB unpacked) Retrieving: usbguard-0.7.8-bp153.1.19.x86_64.rpm .......................[done] Retrieving package udisks2-lang-2.8.1-1.39.noarch (3/5), 163.3 KiB ( 1.2 MiB unpacked) Retrieving: udisks2-lang-2.8.1-1.39.noarch.rpm .........................[done] Retrieving package usbguard-tools-0.7.8-bp153.1.19.x86_64 (4/5), 66.1 KiB (179.7 KiB unpacked) Retrieving: usbguard-tools-0.7.8-bp153.1.19.x86_64.rpm .................[done] Retrieving package usbutils-014-3.3.1.x86_64 (5/5), 111.9 KiB (362.2 KiB unpacked) Retrieving: usbutils-014-3.3.1.x86_64.rpm ..............................[done] Checking for file conflicts: ...........................................[done] (1/5) Installing: udisks2-2.8.1-1.39.x86_64 ............................[done] (2/5) Installing: usbguard-0.7.8-bp153.1.19.x86_64 .....................[done] (3/5) Installing: udisks2-lang-2.8.1-1.39.noarch .......................[done] (4/5) Installing: usbguard-tools-0.7.8-bp153.1.19.x86_64 ...............[done] (5/5) Installing: usbutils-014-3.3.1.x86_64 ............................[done]
控制 usbguard 服務
使用 systemctl 命令在啟動時配置 usbguard 服務,或者在應用新策略時重新啟動。語法是:$ sudo systemctl enable usbguard.service --now
$ sudo systemctl start usbguard.service
$ sudo systemctl stop usbguard.service
$ sudo systemctl restart usbguard.service
$ sudo systemctl status usbguard.service
列出當前的 USB 設備
使用 lsusb 或 usb-devices 命令顯示有關係統中 USB 總線和連接到它們的設備的信息。例如:$ lsusb
$ usb-devices | less
想要了解連接到系統的 USB 設備的圖形概覽嗎?試試:
$ sudo usbview
查看 USBGuard 規則
然後以 root 身份切換到 /etc/usbguard 目錄。 以 root 用戶身份登錄。$ sudo -i
### OR ###
$ su -
列出文件並查找 rules.conf 文件。$ ls -l
total 16 drwxr-xr-x. 2 root root 4096 Mar 31 13:32 IPCAccessControl.d -rw-------. 1 root root 0 Mar 31 13:32 rules.conf drwxr-xr-x. 2 root root 4096 Mar 31 13:32 rules.d -rw-------. 1 root root 5366 Mar 31 12:57 usbguard-daemon.conf
規則類型:
每個 USB 設備都有三種類型的定位規則:
- 給予許可 – 授權 USB 設備。
- 堵塞 – 不允許使用 USB 設備,但係統可以使用 lsusb 命令查看。但是,用戶無法使用 USB 設備,因為它們在系統管理員允許之前被阻止。 (塊設備)
- 拒絕 – USB 設備未經認證。該設備對系統或用戶是不可見的。 要再次查看 USB 設備,您需要重新連接它。 (拒絕設備)
關於 /etc/usbguard/usbguard-daemon.conf
usbguard 服務從名為 /etc/usbguard/usbguard-daemon.conf 的文件中讀取默認值和選項。$ sudo less /etc/usbguard/usbguard-daemon.conf
$ sudo grep -vE '^#|^$' /etc/usbguard/usbguard-daemon.conf
輸出:
RuleFile=/etc/usbguard/rules.conf ImplicitPolicyTarget=block PresentDevicePolicy=apply-policy PresentControllerPolicy=keep InsertedDevicePolicy=apply-policy AuthorizedDefault=none RestoreControllerDeviceState=false DeviceManagerBackend=uevent IPCAllowedUsers=root IPCAllowedGroups=root plugdev IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ DeviceRulesWithPort=false AuditBackend=FileAudit AuditFilePath=/var/log/usbguard/usbguard-audit.log
| 選項 | 解釋 |
|---|---|
| 規則文件 = 路徑 | USBGuard 守護程序使用此文件加載策略規則集並寫入通過 IPC 接口接收的新規則。 |
| ImplicitPolicyTarget=目標 | 如何處理與策略中的任何規則都不匹配的 USB 設備。目標必須允許、阻止或拒絕(從系統中刪除設備節點)。 |
| PresentDevicePolicy=策略 | 守護程序啟動時如何處理連接的 USB 設備。該策略必須是允許、阻止、拒絕、保留(使設備保持當前狀態)或應用策略(評估每個當前設備的一組規則)。 |
| PresentControllerPolicy=策略 | 守護程序啟動時如何處理連接的 USB 控制器設備。允許、阻止、拒絕、暫停或應用策略。 |
| InsertedDevicePolicy=策略 | 如何處理守護程序啟動後連接的 USB 設備。阻止、拒絕或應用策略。 |
| RestoreControllerDeviceState=布爾值 | USBGuard 守護進程修改控制器設備的一些屬性,例如新子設備實例的默認授權狀態。此設置允許您控制守護程序在關閉時是否嘗試將屬性值恢復到其更改前的狀態。 |
| DeviceManagerBackend=後端 | 要使用的設備管理器後端實現。後端必須是 uevent(默認)或 umockdev。 |
| IPCAllowedUsers=用戶名 [username …] | 以空格分隔的用戶名列表,守護程序將接受其 IPC 連接。 |
| IPCAllowedGroups=組名 [groupname …] | 守護進程接受 IPC 連接的組名的空格分隔列表。 |
| IPCAccessControlFiles=路徑 | 此位置中的文件被守護程序解釋為 IPC 訪問控制定義文件。有關詳細信息,請參閱 IPC 訪問控制部分。 |
| DeviceRulesWithPort=布爾值 | 生成包含“via-port”屬性的設備特定規則。 |
| AuditBackend=後端 | USBGuard 審核事件日誌記錄後端。後端值必須是 FileAudit 或 LinuxAudit。 |
| AuditFilePath=文件路徑 | USBGuard 審核事件日誌文件的路徑。 如果 AuditBackend 設置為 FileAudit,則為必需。 |
創建基本默認策略
如果 rules.conf 文件為空或者您需要設置新策略,請運行以下命令。
幾乎所有的 Linux 發行版都沒有規則。所以文件是空的。要生成授權當前連接的 USB 設備的規則集(策略),請運行以下命令:$ sudo usbguard generate-policy -X >/etc/usbguard/rules.conf
包羅萬象的策略配置步驟
默認的最後一條規則應該是拒絕或阻止。例如,要生成具有拒絕規則目標的新基本策略,請運行以下命令:$ sudo usbguard generate-policy -X -t block >/etc/usbguard/rules.conf
還$ sudo usbguard generate-policy -X -t reject >/etc/usbguard/rules.conf
建議將拒絕或阻止策略作為基本策略,原因如下:
- 它定義了一個永久的 USBGuard 策略,允許某些 USB 設備與 Linux 系統交互。
- 這意味著當前連接的設備被接受,但 USBGuard 阻止或拒絕其他 USB 設備。
$ sudo more /home/student/rules.conf
示例輸出:
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" allow id 1d6b:0002 serial "0000:2c:00.0" name "xHCI Host Controller" hash "PwX8KDBTGiYfCyqnWn9KXV2puYMRc5J2oaMUcSSODtY=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type "" allow id 1d6b:0003 serial "0000:2c:00.0" name "xHCI Host Controller" hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type "" allow id 045e:082c serial "603378194521" name "Microsoft Ergonomic Keyboard" hash "/XFAtSRVsaZuf7PFiE9mvgEyRjrYL8NVMyDOqboFhrc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 03:01:01 03:00:00 } with-connect-type "hotplug" allow id 2109:2813 serial "" name "USB2.0 Hub" hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface 09:00:00 with-connect-type "hotplug" allow id 06cb:00bd serial "46b6e9623725" name "" hash "a9PN3kg0s7LvZgUVOnrGXSBaVPGD2RkCo/lm5dEjTRM=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:00:00 with-connect-type "not used" allow id 2109:0813 serial "" name "USB3.0 Hub" hash "VXFbt2m/i5krELu+kCSJysCj+m3eetVv3nfC72o9ceg=" parent-hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" via-port "4-2" with-interface 09:00:00 with-connect-type "hotplug" allow id 8087:0029 serial "" name "" hash "ATK8pCmQtUYaUnwqUVuYssrOMkW8pdCSdZO4OC6zEtg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used" allow id 1a40:0101 serial "" name "USB 2.0 Hub" hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" parent-hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" via-port "1-7.4" with-interface 09:00:00 with-connect-type "unknown" allow id 2109:0102 serial "0000000000000001" name "USB 2.0 BILLBOARD " hash "9D+MQzO58xal2wcN4ROFKY33xyDuRLfAqDBlArhZi3M=" parent-hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" with-interface 11:00:00 with-connect-type "unknown"
列出 USBGuard 守護程序使用的規則集(策略)。
跑:$ sudo usbguard list-rules
想要查看受特定規則影響的所有設備?試試:$ sudo usbguard list-rules -d
$ sudo usbguard list-rules --show-devices
您還可以顯示帶有特定標籤的規則。$ sudo usbguard list-rules -l {label_here}
$ sudo usbguard list-rules --label
列出 USBGuard 守護進程識別的所有 USB 設備。$ sudo usbguard list-devices
$ sudo usbguard list-devices -a ## list allowed devices ##
$ sudo usbguard list-devices -b ## list blocked devices ##
測試 USBGuard
插入您的 USB 4G LTE 調製解調器以查看它是否默認被阻止並運行 lsusb。$ lsusb
顯示華為 USB 連接到 USB 端口(設備 009:ID 12d1:157c)並被系統識別的示例輸出:
Bus 004 Device 002: ID 2109:0813 VIA Labs, Inc. USB3.0 Hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 06cb:00bd Synaptics, Inc. Bus 001 Device 007: ID 2109:0102 VIA Labs, Inc. Microsoft Ergonomic Keyboard Bus 001 Device 005: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 003: ID 2109:2813 VIA Labs, Inc. USB2.0 Hub Bus 001 Device 009: ID 12d1:157c Huawei Technologies Co., Ltd. HUAWEI_MOBILE Bus 001 Device 006: ID 8087:0029 Intel Corp. Bus 001 Device 002: ID 045e:082c Microsoft Corp. Microsoft Ergonomic Keyboard Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
但是,此設備被 USBGuard 阻止。您將收到一條內核消息,提示您無權使用華為 USB 設備,如下所示。$ sudo dmesg
$ sudo dmesg | grep -i 'authorized'
顯示 USBGuard 默認阻止 USB 調製解調器的示例輸出:
[87467.670280] usb 1-2: new high-speed USB device number 8 using xhci_hcd [87467.820572] usb 1-2: New USB device found, idVendor=12d1, idProduct=157c, bcdDevice= 1.02 [87467.820578] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [87467.820581] usb 1-2: Product: HUAWEI_MOBILE [87467.820584] usb 1-2: Manufacturer: HUAWEI_MOBILE [87467.820587] usb 1-2: SerialNumber: 0123456789ABCDEF [87467.820928] usb 1-2: Device is not authorized for usage [87477.196260] usb 1-2: USB disconnect, device number 8 [87477.682044] usb 1-2: new high-speed USB device number 9 using xhci_hcd [87477.831578] usb 1-2: New USB device found, idVendor=12d1, idProduct=157c, bcdDevice= 1.02 [87477.831583] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [87477.831587] usb 1-2: Product: HUAWEI_MOBILE [87477.831590] usb 1-2: Manufacturer: HUAWEI_MOBILE [87477.831593] usb 1-2: SerialNumber: 0123456789ABCDEF [87477.831931] usb 1-2: Device is not authorized for usage
您可以使用以下命令查看被阻止的 USB 設備:$ sudo usbguard list-devices -b
輸出:
24: block id 12d1:157c serial "0123456789ABCDEF" name "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"塊定位策略包括:
- 24 – 設備ID
- 區塊 ID 12d1:157c – USB 設備 ID
- 序列號“0123456789ABCDEF” – USB 設備序列號
- 名稱“HUAWEI_MOBILE” – USB 設備名稱
USB 設備編號是動態生成的,並且因 Linux 系統而異。
暫時允許訪問 USB 設備
默認情況下,USBGuard 會阻止連接的 USB 設備,已知會永久禁止它們。這意味著基於 USB 的攻擊被阻止。但是,如果您想允許訪問合法的 USB 設備怎麼辦?要更改阻止策略以允許設備,請嘗試以下命令: 24 帶有設備塊 ID 12d1:157c:$ sudo usbguard allow-device {device_ID}
$ sudo usbguard allow-device 24
你也可以使用這樣的規則:$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"'
$ sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"'
永久規則
我們可以使我們的決定永久化。當前策略具有與其關聯的特定於設備的允許規則。$ sudo usbguard allow-device {device_ID} -p
$ sudo usbguard allow-device 24 -p
規則而不是 ID:$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"' -p
sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"' -p
以下是我使用文本編輯器添加到 rules.conf 的規則:$ sudo /etc/usbguard/rules.conf
添加以下內容
allow id 12d1:157c serial "0123456789ABCDEF" name "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"
allow id 12d1:1506 serial "" name "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"
保存並關閉文件。重新啟動服務。$ sudo systemctl restart usbguard.service
確認
添加規則後,USBGuard 將立即允許訪問 USB 設備。現在您可以使用 USB LTE 調製解調器連接到互聯網並查看 1 美元的光盤。udisksctl status
MODEL REVISION SERIAL DEVICE -------------------------------------------------------------------------- SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7 xyzfooooooooo1 nvme0n1 SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7 xyzfooooooooo2 nvme1n1 HUAWEI TF CARD Storage 2.31 HUAWEI_TF_CARD_Storage-0:0 sda HUAWEI Mass Storage 2.31 HUAWEI_Mass_Storage-0:0 sr0
也沒有更多的錯誤:$ sudo dmesg
是的,我的 nmcli 或網絡管理器也使用 USB LTE 調製解調器連接到互聯網。 這是 ip 和 nmcli 命令的輸出:$ nmcli device status
$ nmcli device show ttyUSB0
$ ip a s | more
$ ip a s wwx001e101f0000
移除 USB 設備
要從規則集中刪除由規則 ID 標識的規則,請運行以下命令:$ sudo usbguard list-devices -a # list rules #
記下 ID #27。例如:
27: allow id 12d1:1506 serial "" name "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"所以:$ usbguard block-device {ID_HERE} -p
$ sudo usbguard block-device 27 -p
以上將取消對 ID #27 的設備的授權。但您也可以使用該規則:$ usbguard block-device {RULE} -p
$ sudo usbguard block-device '12d1:157c serial "0123456789ABCDEF"' -p
$ sudo usbguard block-device '12d1:1506 serial "0123456789ABCDEF"' -p
當然你可以編輯配置文件。$ sudo /etc/usbguard/rules.conf
然後刪除 USB 設備條目並重新啟動服務。$ sudo systemctl restart usbguard.service
$ sudo systemctl status usbguard.service
故障排除提示
如果您是新的 Linux 開發人員或系統管理員,您可能會發現配置有點困難。嘗試以下命令來查看和修復問題:
系統能識別 USB 設備嗎?
$ lsusb
$ sudo usbguard watch
USB 設備是否被阻止或允許?
$ sudo usbguard list-rules
$ sudo usbguard list-devices -b # blocked #
$ sudo usbguard list-devices -a # allowed #
檢查系統日誌
$ sudo dmesg
$ sudo dmesg | more
$ sudo journalctl -b -e
$ sudo journalctl -b -e -u usbguard.service
$ sudo cat /var/log/usbguard/usbguard-audit.log
$ sudo tail -f /var/log/usbguard/usbguard-audit.log
其他 USB 相關工具
$ nmcli
$ nmcli device status # usb network #
$ ip a s # networking #
$ lsblk # usb block device #
$ udisksctl status
得到幫助
跑:$ usbguard -h
$ usbguard {sub-command} -h
$ usbguard list-devices -h
這就是我所看到的
Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ... Options: Commands: get-parameter <name> Get the value of a runtime parameter. set-parameter <name> <value> Set the value of a runtime parameter. list-devices List all USB devices recognized by the USBGuard daemon. allow-device <id> Authorize a device to interact with the system. block-device <id> Deauthorize a device. reject-device <id> Deauthorize and remove a device from the system. list-rules List the rule set (policy) used by the USBGuard daemon. append-rule <rule> Append a rule to the rule set. remove-rule <id> Remove a rule from the rule set. generate-policy Generate a rule set (policy) based on the connected USB devices. watch Watch for IPC interface events and print them to stdout. read-descriptor Read a USB descriptor from a file and print it in human-readable form. add-user <name> Add USBGuard IPC user/group (requires root privilges) remove-user <name> Remove USBGuard IPC user/group (requires root privileges)
添加
本指南介紹瞭如何使用 USBGuard 來保護您的 Linux 桌面或服務器免受惡意 USB 設備的侵害,方法是根據 USB 設備 ID 和序列號等屬性實施允許名單和阻止名單規則。 usbguard 服務在後台運行,並根據規則允許或阻止對 USB 設備的訪問。 usbguard 命令還用於管理 USB 設備的授權規則和調試問題。
參考
請使用以下手冊頁 人命令:$ man lsusb
$ man usbview
$ man usb-devices
$ man usbguard
$ man usbguard-daemon
