search

USBGuard / usbguard

USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)
https://usbguard.github.io/
GNU General Public License v2.0
1.12k stars 138 forks source link

Generate policy when user locks his session and block all other USB devices? #622

Open lafrenchpatate opened 5 months ago

lafrenchpatate commented 5 months ago

Hello everyone,

I'm creating an issue for technical guidance if possible.

I am trying to secure the machines of our personnels when they're not physically in front on them (cf when their session is locked).

I managed to be able to track the session's lock/unlock via the following command:

gdbus monitor -y -d org.freedesktop.login1 # grep '{'LockedHint': <true>}' or '{'LockedHint': <false>}'

Actually i am simply doing the following:

  1. Calling usbguard set-parameter InsertedDevicePolicy block on session lock

  2. Calling usbguard set-parameter InsertedDevicePolicy apply-policy on session unlock

It works fine but it's too rigid.

My new idea is to:

  1. By default, USBGUARD must accept all USB devices.

  2. When the session gets locked, generate a rule's policy with all the already inserted devices. We're gonna block all USB insertions in the next step so we wanna make sure that if users unplug their keyboard for whatever reason they can still plug it and unlock their session.

  3. When the session is locked we block all USB insertions that are not in the previously generated policy.

  4. When the session is unlocked, we're getting back to point 1. settings (accept all USB devices).

What would be the USBGUARD commands that i need to type to achieve this?

Thank you in advance for your answers and your work.