Summary

Install USBGuard to control and manage which thumb drives can be used on your Linux computer. Acting as a sort of firewall for USB devices, it lets you create a set of rules that allow, block, or reject specific drives.

USB memory sticks can be used to steal data from your Linux computer. USBGuard lets you set rules governing the use of USB memory sticks, like a firewall for USB storage devices. Here’s how it works and how you can set it up.

A USB memory stick icon in the GNOME dock, indicating a device has been connected to the a USB port on the computer, and mounted

The USB Memory Stick and Its Dangers

We’ve probably all got at least oneUSB memory stickor USB storage device like aUSB external drive. They’re cheap, effective, portable, and easy to use.

Nowadays you can just plug one into your Linux computer to have it identified as a storage device and mounted automatically. Gone are the days of having to mount them by hand on the command line. This convenience means anyone can put one into aLinux computerandcopy dataoff the USB drive onto the computer, or from the computer onto the memory stick.

A USB memory stick icon in the Nautlius file browser, indicating a device has been connected to the a USB port on the computer, and mounted

If other people use your computer you might want to limit what they can do with USB memory sticks. If your computer is in your home, it’s unlikely that an opportunist with malicious intent will walk by when your computer is on and unattended, but that can happen in a workplace.

Related:How USB Drives Can Be a Danger to Your Computer

But even with a computer in your family home, you might want to limit USB access. Perhaps your kids regularly have friends over to play. Locking down USB access is a sensible precaution to stop them from inadvertently causing issues.

When someone finds a USB drive there’s an immediate desire to plug it into something to see what’s on it. Cyber threats that target Linux computers are much rarer than those designed for Windows computers, but they still exist.

Using lsusb to list connected USB devices

What Is USBGuard?

USBGuard can protect you against software-based threats that are distributed on compromised USB memory sticks, such asBadUSB, where the attack commences when you’re manipulated into opening what looks like a document but is a disguised executable. USBGuard cannot protect you against hardware-based threats such asUSB Killerdevices that cause physical harm to your computer by releasing a high-voltage discharge into your machine.

Actually, USBGuard allows you to set up rules for all manner of different USB devices, includingmice,webcams, andkeyboards. It’s not just for USB memory sticks. Your computer knows the ID of each USB device, so you’re able to choose which USB devices work in your computer, and which cannot. It’s something like afirewallfor USB connectivity.

Creating a base USBGuard policy with a root terminal session

The USBGuard daemon runs as soon as it is installed. Make sure you configure USBGuard straight after installing it. If you don’t, all your USB devices will be blocked when youreboot your computer.

Normal Behavior With USB Sticks on Linux

Before we do anything, we’ll check the default behavior on ourUbuntu 22.10computer. It’s a simple process. We insert a USB memory stick and see what happens.

We hear an audible alert sound, and a memory stick icon appears in the dock.

Using cat to list the auto-generated rules in /etc/usbguard/rules.conf

Opening the file browser shows an entry has been added to the list of locations in the sidebar. The name displayed is the one given to the device when it was formatted.

Opening a terminal andusing thelsusbcommandlists the connected USB devices. The top entry is the memory stick in question, which happens to be a TDK-branded device.

Using lsusb to list connected USB devices

Related:How to List Your Computer’s Devices From the Linux Terminal

Installing USBGuard

USBGuard has dependencies onusbutilsandudisks2. On the latestManjaro,Fedora, andUbuntubuilds that we tested, these were already installed.

Configuring a Base Policy

USBGuard has a neat trick. It has a command that creates a rule allowing all currently connected USB devices to continue work unhindered. That means you can create a baseline configuration for all of your always-required devices. This set of rules is called a base policy.

USBGuard uses three types of rules.

USBGuard has a neat trick. It has a command that will create a base policy with an allow rule for each of the currently connected USB devices. This is a great way to quickly configure devices that are always connected to your computer, like keyboards and webcams. It is also a convenient way to capture trusted, intermittent devices. Just make sure all of your trusted devices are connected to your computer when you issue the command.

Related:How to Control sudo Access on Linux

An odd quirk requires you to do this asroot. Usingsudowith the command doesn’t work. We need to usesudo -i(login) command toopen a shell as root, then issue the command. Make sure you use theexitcommand to leave the root login session once you’ve finished.

The-X(–no-hashes) option prevents USBGuard from generating hash attributes for each device. The-t(target) option sets a default target for all unrecognized USB devices. In our case we’ve chosen “reject.” We could also have chosen “block.”

Using the list-devices command to list blocked, connected, devices

To see our new rules, we can usecat.

On our test computer, this detected three USB devices and created “allow” rules for them. It added “reject” as the target for all other USB devices.

Adding Another USB Device

Now, if we plug in the same USB memory stick we used earlier, it isn’t permitted to operate. It isn’t added to the dock, it isn’t added to the file browser, and we don’t get an audible alert.

But because we used a “reject” target for unrecognized devices,lsusbcan list its details.

Obtaining a USB device’s ID number using the list-devices command

If we’d used a “block” target in our base policy, we would need to use thelist-devicescommand with the-b(blocked devices) option.

This shows the currently connected, but blocked, USB devices.

We’ll use some of the information from this command to allow our rejected USB device to have temporary access or permanent access. To give our device temporary access, we’ll use the device ID number. In our example this is “10.”

Our device is connected and appears in the dock and the file browser. If we ask USBGuard to list the blocked devices, none are listed.

We can make the permission permanent by using the-p(permanent) option. This creates a rule for us and adds it to our policy.

We can now use this USB device as normal.

Removing a USB Device’s Access

If you change your mind about a USB device—perhaps you’ve lost a USB memory stick and want to remove its access—you can do so with theblock-devicecommand.

We need to know the device ID. We can find this by listing the allowed devices. Note that this number might not be the same as the one you used to add the rule to the list, so check before you issue theblock-devicecommand.

In our case the ID is “13.” We’ll use this with the block-device command, and the-p(permanent) option, to remove its access forever.

Note that this immediately disconnects the device. Only use this command when you’ve finished using any data on the device.

USBGuard gives you an efficient and robust way to take control of, and manage, which USB devices can be used on your computer.

It’s your computer, so it’s only fair you get to choose.

Related:How to Mount and Unmount Storage Devices from the Linux Terminal