-
Notifications
You must be signed in to change notification settings - Fork 694
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorize USB hubs and Human Interface Devices in USBGuard daemon #4748
Conversation
@radosroka @tammar96 How do you like this patch? Should you have any feedback please submit a comment. |
Hey, there are several things I would like to point out.
We need to create a rule for keyboard that has following interfaces:
I'm not familiar with any possible way how to create rule like that. I'm pretty sure that it is NOT possible. It is very likely that we need to create some new extra keyword for such use case like "match-all". It can easily test mask like "03::" on each interface instead of using "equals" or any existing keyword/operator -> it is not implemented. The same problem is with USB hubs I guess. Another problem I've encountered is that I can have these two exact rules in rules.conf but this regexp check will not honor them and it will add generic rules to the end of the file. The same problem will occur with bus again:
Anyway, I don't like the idea that we are going to force customer/user to have such rule in rules.conf "to be compliant". If we do not want to get user into position that he's basically locked out from his computer after scan we should probably check daemon.conf for:
And add some note that user have to create or generate his policy with "usbguard generate-policy" and then change "PresentDevicePolicy" and "PresentControllerPolicy" to "apply-policy" after scan... The second way how to avoid that undesired situation can be checking whether rules.conf is empty. That usually implicates not configured USBGuard therefore we can generate new policy via "usbguard generate-policy" that creates a new allow policy for each connected device. https://usbguard.github.io/documentation/rule-language.html |
I don't think we add these rules to be compliant. We add the rules to avoid locking the user out of the system when we enable @stevegrubb, do I interpret the intentions of these rules correctly? |
The rule that is in the kickstart file was given to me by Daniel Kopecek. The intention is to allow: hubs, keyboards, and mice. That's all. Everything else needs to be blocked by default. This is needed because people need to get into the system via the console during emergencies. If the rule needs to be changed to make it correct, that's fine with me. Just let me know what the changes are so I can update the kickstart file. |
How can an user/customer know that? If he sees that it is a part of the profile he will think it is required to pass the rule to be compliant. I think adding a warning box and describing it in the rule description is needed. Would it make sense to change this rule in a way that it would check whether the policy is non-empty and the Bash remediation would only generate the policy?
Could the kickstart run usbguard generate-policy? If yes, can we assume users will have the mouse and keyboard connected during system installation? |
These usbguard rules seem more like support for rule that enables usbguard service. Maybe these "basic" usbguard rules should be part of remediation for
No, the system should be able to be installed automatically/remotely, and yet, be able to accept a mouse/keyboard for emergencies. |
@radosroka @tammar96 Do you know if the usbguard rules as proposed in the PR cover commom keyboards and mouses? As intention of the rule is not to block/allow a specific device, allowing easy to find mouse/keyboard should be enough. |
Mouse and keyboard may not be installed at system boot, but connected as needed. Also, don't forget, the purpose of the rules are not so much keep from locking out users, its to block malicious devices such as ethernet, bluetooth, mass storage, etc. By allowing mice, keyboards, and hubs, then the admin can go back in and open the policy if needed. But we do not want allow drive-by plugin in of malicious devices. |
<tt>allow with-interface equals { 03:*:* }</tt> | ||
and | ||
<tt>allow with-interface equals { 03:*:* 03:*:* }</tt> | ||
to <tt>/etc/usbguard/rules.conf</tt>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a warning that this rule doesn't aim to cover all possible types of keyboards/mice?
9e574ee
to
6d99320
Compare
Rebased on master -> 6d99320. |
Just for posterity, and to unblock this. We will merge this PR as it is right now. That means the rule will have only limited usefulness outside of certification checkbox (as specific hardware will be needed to access hardened machine). And when USBGuard gains capability to allow any combination of 03 and 09, we will remake the rule to make it generally useful and nice. @radosroka ^^ :) |
OK, makes sense. |
Thanks @dahaic, @radosroka and @adelton |
Feature request on the USBGuard side: USBGuard/usbguard#207 |
Description:
Rationale: