Creating USBGuard Rules

Hands-On Lab

 

Photo of Bob Salmans

Bob Salmans

Security Training Architect I in Content

Length

00:30:00

Difficulty

Intermediate

In this lab, we'll be creating rules within USBGuard. These rules are what will permit or deny a host to communicate with a USB device. We'll also look at defining how to treat USB devices that dont meet any of the configured rules.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Creating USBGuard Rules

Introduction

A host has been setup with USBGuard for testing purposes. We've been assigned the task of setting up rules for USBGuard. The following rules need to be setup and made functional on the host so they can be tested:

  • A USB device named "Ubikey" should be allowed.
  • A USB device with the serial number "7856749487475" should be allowed.
  • Any USB devices that don't meet one of these rules should be blocked.

Setting Up the Environment

  1. Open your terminal application, and log in to the environment using the credentials provided on the lab instructions page. (Remember to replace <PUBLIC_IP_ADDRESS> with the actual public IP address.)

    ssh cloud_user@<PUBLIC_IP_ADDRESS>
  2. Type yes at the prompt.

  3. Enter your password at the prompt.

  4. Become root (by executing su -).

Create USBGuard Rules for Permitted Devices

  1. Create a local file named rules.conf and add two allow lines

    [root@host]# nano rules.conf

    Enter these two lines:

    allow name "Ubikey"
    allow serial "7856749487475"

    Press Ctrl+x to quit, and save at the prompt

  2. Commit the USBGuard rule changes by running the following command

    install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf

Set Rule for Devices that Don't Meet Criteria

  1. Edit the /etc/usbguard/usbguard-daemon.conf file

    [root@host]# nano /etc/usbguard/usbguard-daemon.conf

    Set the ImplicitPolicyTarget to block:

    ImplicitPolicyTarget=block

    Press Ctrl+x to quit, and save at the prompt

  2. Restart the USBGuard service

    [root@host]# systemctl restart usbguard.service

Conclusion

Congratulations, you've successfully completed this hands-on lab!