radosroka
commented
8 months ago Hello, the USBGuard supports LDAP back end. That essentially means you can set up and manage USBGuard policy centrally but authorization is done locally.
Closed p1r4t3-s4il0r closed 7 months ago
radosroka
commented
8 months ago Hello, the USBGuard supports LDAP back end. That essentially means you can set up and manage USBGuard policy centrally but authorization is done locally.
radosroka
commented
8 months ago I guess you can collect audit events from clients where usbguard is running and in case you need to allow some device you can alter policy in LDAP and then the device will be allowed with reinsertion.
p1r4t3-s4il0r
commented
8 months ago Thanks for your answer. I'm not sure to understand the difference between policy and authorization.
Hmm, yeah I could have a work around collecting the audits to allow a device.
radosroka
commented
8 months ago You want to probably forward logs with rsyslog or with other logging daemon. You need to manually evaluate the devices but from one centralized place. If needed you can create a rule for specific device and specific host. The collection of the rules is called policy. If stored in LDAP, the daemon will "download" it when it needs to decide what to do with newly connected device. I haven't looked at the code but when you add a rule or change a policy any how the difference can be spotted after new event comes. E.g. insertion of a new device or re-insertion of the already connected device.
p1r4t3-s4il0r
commented
8 months ago Thanks for your suggestion.
I just don't know how to trigger the download of the new policy, I don't understand what you mean by "If stored in LDAP the daemon will ...". How can the deamon be stored in LDAP ?
Thanks for your time @radosroka.
radosroka
commented
8 months ago Thanks for your suggestion.
I just don't know how to trigger the download of the new policy, I don't understand what you mean by "If stored in LDAP the daemon will ...". How can the deamon be stored in LDAP ?
Thanks for your time @radosroka.
if policy is stored in LDAP
p1r4t3-s4il0r
commented
8 months ago Thanks. That's more clear.
radosroka
commented
7 months ago If you don't mind I'm gonna close this issue. Feel free to reopen if needed.
Hello to everyone.
I'm using USB guard to prevent users from connecting an untrusted device to their machines (Ubuntu).
But I have to go on each machine to authorize a device. I would like to "centralize" the authorizations. I would like to authorize devices regarding the connected user using his LDAP account. Is there any trick for this ?
Thanks