是的
我們擁有強大的防火牆和其他網絡安全策略,以防止通過網絡未經授權訪問我們用戶的台式計算機。但是,您需要阻止 USB 設備訪問。 配置 Linux 桌面安全策略以
給予許可
以及基於設備屬性的黑名單功能。例如,您可以定義授權哪些 USB 設備以及它們如何與您的 Linux 系統交互。例如,您可以定義一個策略,允許序列號為“XYZ”的 Yubikey 和序列號為“ABC”的 USB LTE 調製解調器。默認情況下拒絕所有其他 USB 設備訪問。
安裝 USBGuard 和其他實用程序
USBGuard 僅適用於 Linux。以下教程不適用於其他操作系統,例如 *BSD 或 macOS。
根據您的 Linux 發行版,您應該按如下方式安裝 USBGuard:
Debian/Ubuntu 或 Linux Mint
在 Debian/Ubuntu 或 Linux mint 上使用 apt 或 apt-get 命令。$ sudo apt install usbguard usbutils udisks2
[sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done usbutils is already the newest version (1:012-2). udisks2 is already the newest version (2.8.4-1ubuntu2). The following packages were automatically installed and are no longer required: linux-headers-5.4.0-84 linux-headers-5.4.0-84-generic linux-image-5.4.0-84-generic linux-modules-5.4.0-84-generic linux-modules-extra-5.4.0-84-generic Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: libqb0 libumockdev0 libusbguard0 The following NEW packages will be installed: libqb0 libumockdev0 libusbguard0 usbguard 0 upgraded, 4 newly installed, 0 to remove and 4 not upgraded. Need to get 580 kB of archives. After this operation, 2,131 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 https://archive.ubuntu.com/ubuntu focal/main amd64 libqb0 amd64 1.0.5-1 [63.9 kB] Get:2 https://archive.ubuntu.com/ubuntu focal-updates/universe amd64 libumockdev0 amd64 0.14.1-1ubuntu0.1 [34.2 kB] Get:3 https://archive.ubuntu.com/ubuntu focal/universe amd64 libusbguard0 amd64 0.7.6+ds-1build1 [350 kB] Get:4 https://archive.ubuntu.com/ubuntu focal/universe amd64 usbguard amd64 0.7.6+ds-1build1 [132 kB] Fetched 580 kB in 3s (229 kB/s) Selecting previously unselected package libqb0:amd64. (Reading database ... 419085 files and directories currently installed.) Preparing to unpack .../libqb0_1.0.5-1_amd64.deb ... Unpacking libqb0:amd64 (1.0.5-1) ... Selecting previously unselected package libumockdev0:amd64. Preparing to unpack .../libumockdev0_0.14.1-1ubuntu0.1_amd64.deb ... Unpacking libumockdev0:amd64 (0.14.1-1ubuntu0.1) ... Selecting previously unselected package libusbguard0. Preparing to unpack .../libusbguard0_0.7.6+ds-1build1_amd64.deb ... Unpacking libusbguard0 (0.7.6+ds-1build1) ... Selecting previously unselected package usbguard. Preparing to unpack .../usbguard_0.7.6+ds-1build1_amd64.deb ... Unpacking usbguard (0.7.6+ds-1build1) ... Setting up libqb0:amd64 (1.0.5-1) ... Setting up libumockdev0:amd64 (0.14.1-1ubuntu0.1) ... Setting up libusbguard0 (0.7.6+ds-1build1) ... Setting up usbguard (0.7.6+ds-1build1) ... Created symlink /etc/systemd/system/dbus-org.usbguard.service → /lib/systemd/system/usbguard-dbus.service. Created symlink /etc/systemd/system/multi-user.target.wants/usbguard-dbus.service → /lib/systemd/system/usbguard-dbus.service. Created symlink /etc/systemd/system/basic.target.wants/usbguard.service → /lib/systemd/system/usbguard.service. Processing triggers for systemd (245.4-4ubuntu3.13) ... Processing triggers for man-db (2.9.1-1) ... Processing triggers for dbus (1.12.16-2ubuntu2.1) ... Processing triggers for libc-bin (2.31-0ubuntu9.3) ...
Fedora 或 RHEL 和朋友
使用 FedoraRHEL 的 dnf 命令克隆。$ sudo dnf install usbguard usbutils udisks2
SUSE/開放式 SUSE Linux
對於 SUSE Enterprise Linux 或 OpenSUSE Linux 用戶,請嘗試以下 zypper 命令。$ sudo zypper in usbguard usbutils udisks2 usbguard-tools
Loading repository data... Reading installed packages... Resolving package dependencies... The following 5 NEW packages are going to be installed: udisks2 udisks2-lang usbguard usbguard-tools usbutils The following recommended package was automatically selected: udisks2-lang 5 new packages to install. Overall download size: 725.3 KiB. Already cached: 0 B. After the operation, additional 3.0 MiB will be used. Continue? [y/n/v/...? shows all options] (y): y Retrieving package udisks2-2.8.1-1.39.x86_64 (1/5), 261.9 KiB (929.5 KiB unpacked) Retrieving: udisks2-2.8.1-1.39.x86_64.rpm ..............................[done] Retrieving package usbguard-0.7.8-bp153.1.19.x86_64 (2/5), 122.1 KiB (314.0 KiB unpacked) Retrieving: usbguard-0.7.8-bp153.1.19.x86_64.rpm .......................[done] Retrieving package udisks2-lang-2.8.1-1.39.noarch (3/5), 163.3 KiB ( 1.2 MiB unpacked) Retrieving: udisks2-lang-2.8.1-1.39.noarch.rpm .........................[done] Retrieving package usbguard-tools-0.7.8-bp153.1.19.x86_64 (4/5), 66.1 KiB (179.7 KiB unpacked) Retrieving: usbguard-tools-0.7.8-bp153.1.19.x86_64.rpm .................[done] Retrieving package usbutils-014-3.3.1.x86_64 (5/5), 111.9 KiB (362.2 KiB unpacked) Retrieving: usbutils-014-3.3.1.x86_64.rpm ..............................[done] Checking for file conflicts: ...........................................[done] (1/5) Installing: udisks2-2.8.1-1.39.x86_64 ............................[done] (2/5) Installing: usbguard-0.7.8-bp153.1.19.x86_64 .....................[done] (3/5) Installing: udisks2-lang-2.8.1-1.39.noarch .......................[done] (4/5) Installing: usbguard-tools-0.7.8-bp153.1.19.x86_64 ...............[done] (5/5) Installing: usbutils-014-3.3.1.x86_64 ............................[done]
控制usbguard服務
使用 systemctl 命令在啟動時配置 usbguard 服務,或者在應用新策略時重新啟動它。語法是:$ sudo systemctl enable usbguard.service --now
$ sudo systemctl start usbguard.service
$ sudo systemctl stop usbguard.service
$ sudo systemctl restart usbguard.service
$ sudo systemctl status usbguard.service
列出當前 USB 設備
使用 lsusb 或 usb-devices 命令顯示有關係統中 USB 總線以及連接到它們的設備的信息。例如:$ lsusb
$ usb-devices | less
想要連接到系統的 USB 設備的圖形概覽嗎?嘗試:
$ sudo usbview
查看 USBGuard 規則
然後以 root 身份切換到 /etc/usbguard 目錄。因此,以 root 身份登錄。$ sudo -i
### OR ###
$ su -
列出文件並找到 rules.conf 文件。$ ls -l
total 16 drwxr-xr-x. 2 root root 4096 Mar 31 13:32 IPCAccessControl.d -rw-------. 1 root root 0 Mar 31 13:32 rules.conf drwxr-xr-x. 2 root root 4096 Mar 31 13:32 rules.d -rw-------. 1 root root 5366 Mar 31 12:57 usbguard-daemon.conf
規則類型:
每個 USB 設備都有三種類型的定位規則:
- 給予許可 – 授權 USB 設備。
- 擁擠 – 不允許使用 USB 設備,但係統可以使用 lsusb 命令查看。但是,用戶不能使用 USB 設備,因為它們在系統管理員允許之前被阻止。 (塊設備)
- 拒絕 – USB 設備未經身份驗證且對系統或用戶不可見。 要再次看到 USB 設備,您必須重新插入它。 (拒絕設備)
了解 /etc/usbguard/usbguard-daemon.conf
usbguard 服務從名為 /etc/usbguard/usbguard-daemon.conf 的文件中讀取默認值和選項。$ sudo less /etc/usbguard/usbguard-daemon.conf
$ sudo grep -vE '^#|^$' /etc/usbguard/usbguard-daemon.conf
輸出:
RuleFile=/etc/usbguard/rules.conf ImplicitPolicyTarget=block PresentDevicePolicy=apply-policy PresentControllerPolicy=keep InsertedDevicePolicy=apply-policy AuthorizedDefault=none RestoreControllerDeviceState=false DeviceManagerBackend=uevent IPCAllowedUsers=root IPCAllowedGroups=root plugdev IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ DeviceRulesWithPort=false AuditBackend=FileAudit AuditFilePath=/var/log/usbguard/usbguard-audit.log
| 選項 | 解釋 |
|---|---|
| 規則文件 = 路徑 | USBGuard 守護程序使用此文件加載策略規則集並寫入通過 IPC 接口接收的新規則。 |
| ImplicitPolicyTarget=目標 | 如何處理不符合政策規則的 USB 設備。目標應該是允許、阻止或拒絕(從系統中丟棄設備節點)。 |
| PresentDevicePolicy=策略 | 守護程序啟動時如何處理連接的 USB 設備。策略必須是允許、阻止、拒絕、保留(保持設備的當前狀態)或應用策略(評估每個當前設備的規則集)。 |
| PresentControllerPolicy=策略 | 守護進程啟動時如何處理已經連接的 USB 控制器設備。允許、阻止、拒絕、保留或應用策略。 |
| InsertedDevicePolicy=策略 | 如何處理自守護程序啟動以來連接的 USB 設備。阻止、拒絕或強制執行的策略。 |
| RestoreControllerDeviceState=布爾值 | USBGuard 守護進程修改控制器設備的一些屬性,例如新子設備實例的默認授權狀態。此設置允許您控制守護程序是否嘗試在關閉時將屬性值恢復到更改前的狀態。 |
| DeviceManagerBackend=後端 | 要使用的設備管理器後端實現。後端必須是 uevent(默認)或 umockdev。 |
| IPCAllowedUsers=用戶名 [username …] | 守護程序將接受 IPC 連接的用戶名的空格分隔列表。 |
| IPCAllowedGroups=組名 [groupname …] | 守護進程為其接受 IPC 連接的以空格分隔的組名列表。 |
| IPCAccessControlFiles=路徑 | 此位置中的文件由守護程序解釋為 IPC 訪問控制定義文件。有關詳細信息,請參閱 IPC 訪問控制部分。 |
| DeviceRulesWithPort=布爾值 | 生成包含“via-port”屬性的特定於設備的規則。 |
| AuditBackend=後端 | USBGuard 審計事件記錄後端。後端值必須是 FileAudit 或 LinuxAudit。 |
| AuditFilePath=文件路徑 | USBGuard 審計事件日誌文件的路徑。 如果 AuditBackend 設置為 FileAudit,則為必需。 |
創建基本默認策略
如果 rules.conf 文件為空或需要設置新策略,請運行以下命令。
幾乎所有的 Linux 發行版都沒有規則。所以文件是空的。要生成授權當前連接的 USB 設備的規則集(策略),請運行以下命令:$ sudo usbguard generate-policy -X >/etc/usbguard/rules.conf
包羅萬象的策略配置步驟
默認的最後一條規則應該是拒絕或阻止。例如,要生成包含拒絕規則目標的新基本策略,請運行以下命令:$ sudo usbguard generate-policy -X -t block >/etc/usbguard/rules.conf
再次$ sudo usbguard generate-policy -X -t reject >/etc/usbguard/rules.conf
出於以下原因,建議將拒絕或阻止策略作為基本策略:
- 它定義了一個永久的 USBGuard 策略,允許某些 USB 設備與 Linux 系統交互。
- 這意味著當前連接的設備被接受,但 USBGuard 阻止或拒絕其他 USB 設備。
$ sudo more /home/student/rules.conf
示例輸出:
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" allow id 1d6b:0002 serial "0000:2c:00.0" name "xHCI Host Controller" hash "PwX8KDBTGiYfCyqnWn9KXV2puYMRc5J2oaMUcSSODtY=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type "" allow id 1d6b:0003 serial "0000:2c:00.0" name "xHCI Host Controller" hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type "" allow id 045e:082c serial "603378194521" name "Microsoft Ergonomic Keyboard" hash "/XFAtSRVsaZuf7PFiE9mvgEyRjrYL8NVMyDOqboFhrc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 03:01:01 03:00:00 } with-connect-type "hotplug" allow id 2109:2813 serial "" name "USB2.0 Hub" hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface 09:00:00 with-connect-type "hotplug" allow id 06cb:00bd serial "46b6e9623725" name "" hash "a9PN3kg0s7LvZgUVOnrGXSBaVPGD2RkCo/lm5dEjTRM=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:00:00 with-connect-type "not used" allow id 2109:0813 serial "" name "USB3.0 Hub" hash "VXFbt2m/i5krELu+kCSJysCj+m3eetVv3nfC72o9ceg=" parent-hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" via-port "4-2" with-interface 09:00:00 with-connect-type "hotplug" allow id 8087:0029 serial "" name "" hash "ATK8pCmQtUYaUnwqUVuYssrOMkW8pdCSdZO4OC6zEtg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used" allow id 1a40:0101 serial "" name "USB 2.0 Hub" hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" parent-hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" via-port "1-7.4" with-interface 09:00:00 with-connect-type "unknown" allow id 2109:0102 serial "0000000000000001" name "USB 2.0 BILLBOARD " hash "9D+MQzO58xal2wcN4ROFKY33xyDuRLfAqDBlArhZi3M=" parent-hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" with-interface 11:00:00 with-connect-type "unknown"
列出 USBGuard 守護程序使用的規則集(策略)
跑步:$ sudo usbguard list-rules
想查看受特定規則影響的所有設備嗎?嘗試:$ sudo usbguard list-rules -d
$ sudo usbguard list-rules --show-devices
您還可以顯示帶有特定標籤的規則。$ sudo usbguard list-rules -l {label_here}
$ sudo usbguard list-rules --label
列出 USBGuard 守護程序識別的所有 USB 設備。$ sudo usbguard list-devices
$ sudo usbguard list-devices -a ## list allowed devices ##
$ sudo usbguard list-devices -b ## list blocked devices ##
測試 USBGuard
插入 USB 4G LTE 調製解調器以查看它是否默認被阻止並運行 lsusb。$ lsusb
示例輸出顯示華為USB連接到USB端口(設備009:ID 12d1:157c)並被系統識別。
Bus 004 Device 002: ID 2109:0813 VIA Labs, Inc. USB3.0 Hub Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 004: ID 06cb:00bd Synaptics, Inc. Bus 001 Device 007: ID 2109:0102 VIA Labs, Inc. Microsoft Ergonomic Keyboard Bus 001 Device 005: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 003: ID 2109:2813 VIA Labs, Inc. USB2.0 Hub Bus 001 Device 009: ID 12d1:157c Huawei Technologies Co., Ltd. HUAWEI_MOBILE Bus 001 Device 006: ID 8087:0029 Intel Corp. Bus 001 Device 002: ID 045e:082c Microsoft Corp. Microsoft Ergonomic Keyboard Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
但是,此設備被 USBGuard 阻止。顯示內核消息,表明未經授權使用華為USB設備,例如:$ sudo dmesg
$ sudo dmesg | grep -i 'authorized'
顯示 USBGuard 默認阻止 USB 調製解調器的示例輸出:
[87467.670280] usb 1-2: new high-speed USB device number 8 using xhci_hcd [87467.820572] usb 1-2: New USB device found, idVendor=12d1, idProduct=157c, bcdDevice= 1.02 [87467.820578] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [87467.820581] usb 1-2: Product: HUAWEI_MOBILE [87467.820584] usb 1-2: Manufacturer: HUAWEI_MOBILE [87467.820587] usb 1-2: SerialNumber: 0123456789ABCDEF [87467.820928] usb 1-2: Device is not authorized for usage [87477.196260] usb 1-2: USB disconnect, device number 8 [87477.682044] usb 1-2: new high-speed USB device number 9 using xhci_hcd [87477.831578] usb 1-2: New USB device found, idVendor=12d1, idProduct=157c, bcdDevice= 1.02 [87477.831583] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [87477.831587] usb 1-2: Product: HUAWEI_MOBILE [87477.831590] usb 1-2: Manufacturer: HUAWEI_MOBILE [87477.831593] usb 1-2: SerialNumber: 0123456789ABCDEF [87477.831931] usb 1-2: Device is not authorized for usage
您可以使用以下命令查看被阻止的 USB 設備:$ sudo usbguard list-devices -b
輸出:
24: block id 12d1:157c serial "0123456789ABCDEF" name "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"區塊定位策略包括:
- 24 – 設備ID
- 塊 ID 12d1:157c – USB 設備 ID
- 序列號“0123456789ABCDEF” – USB 設備序列號
- 名稱“HUAWEI_MOBILE” – USB 設備名稱
USB 設備號是動態生成的,在 Linux 系統上是不同的。
暫時允許訪問 USB 設備
默認情況下,USBGuard 會阻止連接的 USB 設備,並且眾所周知總是被禁止。這意味著基於 USB 的攻擊被阻止。但是如果你想允許訪問合法的 USB 設備怎麼辦呢?嘗試以下命令來更改阻止策略以允許該設備。 24 帶設備塊 ID 12d1:157c:$ sudo usbguard allow-device {device_ID}
$ sudo usbguard allow-device 24
您還可以使用這樣的規則:$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"'
$ sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"'
永久規則
我們可以使我們的決定永久化。特定於設備的允許規則已添加到當前策略中。$ sudo usbguard allow-device {device_ID} -p
$ sudo usbguard allow-device 24 -p
規則而不是 ID:$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"' -p
sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"' -p
以下是我使用文本編輯器添加到 rules.conf 的規則:$ sudo /etc/usbguard/rules.conf
添加以下內容
allow id 12d1:157c serial "0123456789ABCDEF" name "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"
allow id 12d1:1506 serial "" name "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"
保存並關閉文件。重新啟動服務。$ sudo systemctl restart usbguard.service
確認
添加規則後,USBGuard 將立即允許訪問 USB 設備。現在您可以使用 USB LTE 調製解調器連接到互聯網並查看您的 $disk。udisksctl status
MODEL REVISION SERIAL DEVICE -------------------------------------------------------------------------- SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7 xyzfooooooooo1 nvme0n1 SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7 xyzfooooooooo2 nvme1n1 HUAWEI TF CARD Storage 2.31 HUAWEI_TF_CARD_Storage-0:0 sda HUAWEI Mass Storage 2.31 HUAWEI_Mass_Storage-0:0 sr0
也沒有更多的錯誤:$ sudo dmesg
是的,我的 nmcli 或網絡管理員也在使用 USB LTE 調製解調器連接到互聯網。下面是 ip 和 nmcli 命令的輸出。$ nmcli device status
$ nmcli device show ttyUSB0
$ ip a s | more
$ ip a s wwx001e101f0000
移除 USB 設備
要從規則集中刪除由規則 ID 標識的規則,請運行以下命令:$ sudo usbguard list-devices -a # list rules #
記下 ID #27。例如:
27: allow id 12d1:1506 serial "" name "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"在那之後:$ usbguard block-device {ID_HERE} -p
$ sudo usbguard block-device 27 -p
以上將取消對 ID # 27 的設備的授權。但您也可以使用該規則:$ usbguard block-device {RULE} -p
$ sudo usbguard block-device '12d1:157c serial "0123456789ABCDEF"' -p
$ sudo usbguard block-device '12d1:1506 serial "0123456789ABCDEF"' -p
當然你可以編輯配置文件。$ sudo /etc/usbguard/rules.conf
然後刪除 USB 設備條目並重新啟動服務。$ sudo systemctl restart usbguard.service
$ sudo systemctl status usbguard.service
故障排除提示
如果您是新的 Linux 開發人員或系統管理員,您可能會發現配置有點困難。嘗試使用以下命令檢查並修復問題:
系統能識別USB設備嗎?
$ lsusb
$ sudo usbguard watch
是阻止還是允許 USB 設備?
$ sudo usbguard list-rules
$ sudo usbguard list-devices -b # blocked #
$ sudo usbguard list-devices -a # allowed #
檢查系統日誌
$ sudo dmesg
$ sudo dmesg | more
$ sudo journalctl -b -e
$ sudo journalctl -b -e -u usbguard.service
$ sudo cat /var/log/usbguard/usbguard-audit.log
$ sudo tail -f /var/log/usbguard/usbguard-audit.log
其他USB相關工具
$ nmcli
$ nmcli device status # usb network #
$ ip a s # networking #
$ lsblk # usb block device #
$ udisksctl status
得到幫助
跑步:$ usbguard -h
$ usbguard {sub-command} -h
$ usbguard list-devices -h
這就是我所看到的
Usage: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ... Options: Commands: get-parameter <name> Get the value of a runtime parameter. set-parameter <name> <value> Set the value of a runtime parameter. list-devices List all USB devices recognized by the USBGuard daemon. allow-device <id> Authorize a device to interact with the system. block-device <id> Deauthorize a device. reject-device <id> Deauthorize and remove a device from the system. list-rules List the rule set (policy) used by the USBGuard daemon. append-rule <rule> Append a rule to the rule set. remove-rule <id> Remove a rule from the rule set. generate-policy Generate a rule set (policy) based on the connected USB devices. watch Watch for IPC interface events and print them to stdout. read-descriptor Read a USB descriptor from a file and print it in human-readable form. add-user <name> Add USBGuard IPC user/group (requires root privilges) remove-user <name> Remove USBGuard IPC user/group (requires root privileges)
加上
本指南將向您展示如何使用 USBGuard 通過實施基於 USB 設備 ID 和序列號等屬性的允許列表和阻止列表規則來保護您的 Linux 台式機或服務器免受流氓 USB 設備的侵害。 usbguard 服務在後台運行,並根據規則允許或阻止對 USB 設備的訪問。 usbguard 命令還用於管理 USB 設備的授權規則和調試問題。
參考
請使用以下手冊頁 人的訂單:$ man lsusb
$ man usbview
$ man usb-devices
$ man usbguard
$ man usbguard-daemon
