# # Rule set file path. # # The USBGuard daemon will use this file to load the policy # rule set from it and to write new rules received via the # IPC interface. # # RuleFile=/path/to/rules.conf # RuleFile=/usr/local/etc/usbguard/rules.conf # # Implicit policy target. # # How to treat devices that don't match any rule in the # policy. One of: # # * allow - authorize the device # * block - block the device # * reject - remove the device # ImplicitPolicyTarget=allow # # Present device policy. # # How to treat devices that are already connected when the # daemon starts. One of: # # * allow - authorize every present device # * block - deauthorize every present device # * reject - remove every present device # * keep - just sync the internal state and leave it # * apply-policy - evaluate the ruleset for every present # device # PresentDevicePolicy=apply-policy # # Present controller policy. # # How to treat USB controllers that are already connected # when the daemon starts. One of: # # * allow - authorize every present device # * block - deauthorize every present device # * reject - remove every present device # * keep - just sync the internal state and leave it # * apply-policy - evaluate the ruleset for every present # device # PresentControllerPolicy=keep # # Inserted device policy. # # How to treat USB devices that are already connected # *after* the daemon starts. One of: # # * block - deauthorize every present device # * reject - remove every present device # * apply-policy - evaluate the ruleset for every present # device # InsertedDevicePolicy=apply-policy # # Restore controller device state. # # The USBGuard daemon modifies some attributes of controller # devices like the default authorization state of new child device # instances. Using this setting, you can controll whether the # daemon will try to restore the attribute values to the state # before modificaton on shutdown. # # SECURITY CONSIDERATIONS: If set to true, the USB authorization # policy could be bypassed by performing some sort of attack on the # daemon (via a local exploit or via a USB device) to make it shutdown # and restore to the operating-system default state (known to be permissive). # RestoreControllerDeviceState=false # # Device manager backend # # Which device manager backend implementation to use. One of: # # * uevent - Netlink based implementation which uses sysfs to scan for present # devices and an uevent netlink socket for receiving USB device # related events. # * dummy - A dummy device manager which simulates several devices and device # events. Useful for testing. # DeviceManagerBackend=uevent #!!! WARNING: It's good practice to set at least one of the !!! #!!! two options bellow. If none of them are set, !!! #!!! the daemon will accept IPC connections from !!! #!!! anyone, thus allowing anyone to modify the !!! #!!! rule set and (de)authorize USB devices. !!! # # Users allowed to use the IPC interface. # # A space delimited list of usernames that the daemon will # accept IPC connections from. # # IPCAllowedUsers=username1 username2 ... # IPCAllowedUsers=root # # Groups allowed to use the IPC interface. # # A space delimited list of groupnames that the daemon will # accept IPC connections from. # # IPCAllowedGroups=groupname1 groupname2 ... # IPCAllowedGroups= # # IPC access control definition files path. # # The files at this location will be interpreted by the daemon # as access control definition files. The (base)name of a file # should be in the form: # # [user][:] # # and should contain lines in the form: # #
=[privilege] ... # # This way each file defines who is able to connect to the IPC # bus and what privileges he has. # IPCAccessControlFiles=/usr/local/etc/usbguard/IPCAccessControl.d/ # # Generate device specific rules including the "via-port" # attribute. # # This option modifies the behavior of the allowDevice # action. When instructed to generate a permanent rule, # the action can generate a port specific rule. Because # some systems have unstable port numbering, the generated # rule might not match the device after rebooting the system. # # If set to false, the generated rule will still contain # the "parent-hash" attribute which also defines an association # to the parent device. See usbguard-rules.conf(5) for more # details. # DeviceRulesWithPort=false # # USBGuard audit events log file path. # AuditFilePath=/usr/local/var/log/usbguard/usbguard-audit.log