kochstefan
commented
6 years ago Hi @phocean
The usbguard project provides an USB firewall, too. It is already packaged within openSUSE and debian. The usbguard development was supported by RedHat and usbauth was supported by SUSE. Historical, usbguard was published while the working on usbauth has already been started. The main difference is that usbguard works with USB devices and usbauth works with USB interfaces.
usbauth could allow/deny usb interfaces using the new usb interface authorization mechanism that is part of linux 4.4 and above. See also: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.4.94&qt=grep&q=interface+auth
Examples:
- allow audio interfaces of an USB headset and deny HID interfaces
- allow a storage functionality of a USB device and deny USB Ethernet of the same device
- allow audio/video functionality of an USB TV card and deny using the remote control functionality
- allow USB printing/scanning and deny USB storage usage of a multifunction printer (BTW: the interface mechanism supports denying user space triggered actions (using USB claiming) like scanning)
usbguard could allow/deny USB devices using the usb device authorization mechanism of the Linux kernel. It allows to denying a whole device if one interface of it is considered as bad (usbauth supports this, too) usbguard allows creating actions. that is not supported by usbauth.
If you can understand German language you could read a detailed description: https://epub.uni-bayreuth.de/3048/1/koch2017sicherheitsaspekte.pdf
phocean
Hello,
Your project is interesing, but I would like to read some perspective on how it compares with usbguards, which has been around for a while, and why we should choose usbauth.
Thank you !