1 files changed, 160 insertions, 0 deletions

diff --git a/modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf b/modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf
new file mode 100644
index 00000000..44f2d66c
--- /dev/null
+++ b/modules-available/usblockoff/inc/default-configs/usbguard-daemon.conf
@@ -0,0 +1,160 @@
+#

+# Rule set file path.

+#

+# The USBGuard daemon will use this file to load the policy

+# rule set from it and to write new rules received via the

+# IPC interface.

+#

+# RuleFile=/path/to/rules.conf

+#

+RuleFile=/usr/local/etc/usbguard/rules.conf

+

+#

+# Implicit policy target.

+#

+# How to treat devices that don't match any rule in the

+# policy. One of:

+#

+# * allow  - authorize the device

+# * block  - block the device

+# * reject - remove the device

+#

+ImplicitPolicyTarget=allow

+

+#

+# Present device policy.

+#

+# How to treat devices that are already connected when the

+# daemon starts. One of:

+#

+# * allow        - authorize every present device

+# * block        - deauthorize every present device

+# * reject       - remove every present device

+# * keep         - just sync the internal state and leave it

+# * apply-policy - evaluate the ruleset for every present

+#                  device

+#

+PresentDevicePolicy=apply-policy

+

+#

+# Present controller policy.

+#

+# How to treat USB controllers that are already connected

+# when the daemon starts. One of:

+#

+# * allow        - authorize every present device

+# * block        - deauthorize every present device

+# * reject       - remove every present device

+# * keep         - just sync the internal state and leave it

+# * apply-policy - evaluate the ruleset for every present

+#                  device

+#

+PresentControllerPolicy=keep

+

+#

+# Inserted device policy.

+#

+# How to treat USB devices that are already connected

+# *after* the daemon starts. One of:

+#

+# * block        - deauthorize every present device

+# * reject       - remove every present device

+# * apply-policy - evaluate the ruleset for every present

+#                  device

+#

+InsertedDevicePolicy=apply-policy

+

+#

+# Restore controller device state.

+#

+# The USBGuard daemon modifies some attributes of controller

+# devices like the default authorization state of new child device

+# instances. Using this setting, you can controll whether the

+# daemon will try to restore the attribute values to the state

+# before modificaton on shutdown.

+#

+# SECURITY CONSIDERATIONS: If set to true, the USB authorization

+# policy could be bypassed by performing some sort of attack on the

+# daemon (via a local exploit or via a USB device) to make it shutdown

+# and restore to the operating-system default state (known to be permissive).

+#

+RestoreControllerDeviceState=false

+

+#

+# Device manager backend

+#

+# Which device manager backend implementation to use. One of:

+#

+# * uevent - Netlink based implementation which uses sysfs to scan for present

+#            devices and an uevent netlink socket for receiving USB device

+#            related events.

+# * dummy  - A dummy device manager which simulates several devices and device

+#            events. Useful for testing.

+#

+DeviceManagerBackend=uevent

+

+#!!! WARNING: It's good practice to set at least one of the !!!

+#!!!          two options bellow. If none of them are set,  !!!

+#!!!          the daemon will accept IPC connections from   !!!

+#!!!          anyone, thus allowing anyone to modify the    !!!

+#!!!          rule set and (de)authorize USB devices.       !!!

+

+#

+# Users allowed to use the IPC interface.

+#

+# A space delimited list of usernames that the daemon will

+# accept IPC connections from.

+#

+# IPCAllowedUsers=username1 username2 ...

+#

+IPCAllowedUsers=root

+

+#

+# Groups allowed to use the IPC interface.

+#

+# A space delimited list of groupnames that the daemon will

+# accept IPC connections from.

+#

+# IPCAllowedGroups=groupname1 groupname2 ...

+#

+IPCAllowedGroups=

+

+#

+# IPC access control definition files path.

+#

+# The files at this location will be interpreted by the daemon

+# as access control definition files. The (base)name of a file

+# should be in the form:

+#

+#   [user][:<group>]

+#

+# and should contain lines in the form:

+#

+#   <section>=[privilege] ...

+#

+# This way each file defines who is able to connect to the IPC

+# bus and what privileges he has.

+#

+IPCAccessControlFiles=/usr/local/etc/usbguard/IPCAccessControl.d/

+

+#

+# Generate device specific rules including the "via-port"

+# attribute.

+#

+# This option modifies the behavior of the allowDevice

+# action. When instructed to generate a permanent rule,

+# the action can generate a port specific rule. Because

+# some systems have unstable port numbering, the generated

+# rule might not match the device after rebooting the system.

+#

+# If set to false, the generated rule will still contain

+# the "parent-hash" attribute which also defines an association

+# to the parent device. See usbguard-rules.conf(5) for more

+# details.

+#

+DeviceRulesWithPort=false

+

+#

+# USBGuard audit events log file path.

+#

+AuditFilePath=/usr/local/var/log/usbguard/usbguard-audit.log