usbguard (1) Linux Manual Page
usbguard — USBGuard command-line interface
Synopsis
usbguardusbguard list-devices
usbguard allow-device
usbguard block-device
usbguard reject-device
usbguard list-rules
usbguard append-rule
usbguard remove-rule
usbguard generate-policy
usbguard watch
usbguard read-descriptor <file>
Description
The usbguard command provides a command-line interface (CLI) to the usbguard-daemon(8) instance and provides a tool for generating initial USBGuard policies.Subcommands
list-devicesList all USB devices recognized by the USBGuard daemon.
Available options:
- -a, –allowed
- List allowed devices.
- -b, –blocked
- List blocked devices.
- -h, –help
- Show help.
~ ~ ~ ~
allow-device [OPTIONS] <id>
Authorize a device identified by the device id to interact with the system.
Available options:
- -p, –permanent
- Make the decision permanent. A device specific allow rule will be appended to the current policy.
- -h, –help
- Show help.
~ ~ ~ ~
block-device [OPTIONS] <id>
Deauthorize a device identified by the device id.
Available options:
- -p, –permanent
- Make the decision permanent. A device specific block rule will be appended to the current policy.
- -h, –help
- Show help.
~ ~ ~ ~
reject-device [OPTIONS] <id>
Deauthorize and remove a device identified by the device id.
Available options:
- -p, –permanent
- Make the decision permanent. A device specific reject rule will be appended to the current policy.
- -h, –help
- Show help.
~ ~ ~ ~
list-rules [OPTIONS]
List the rule set (policy) used by the USBGuard daemon.
Available options:
- -h, –help
- Show help.
~ ~ ~ ~
append-rule [OPTIONS] <rule>
Append the rule to the current rule set.
Available options:
- -a, –after <id>
- Append the new rule after a rule with the specified rule id.
- -h, –help
- Show help.
~ ~ ~ ~
remove-rule [OPTIONS] <id>
Remove a rule identified by the rule id from the rule set.
Available options:
- -h, –help
- Show help.
~ ~ ~ ~
generate-policy [OPTIONS]
Generate a rule set (policy) which authorizes the currently connected USB devices.
Available options:
- -p, –with-ports
- Generate port specific rules for all devices. By default, port specific rules are generated only for devices which do not export an iSerial value.
- -P, –no-ports-sn
- Don’t generate port specific rules for devices without an iSerial value. Without this option, the tool will add a via-port attribute to any device that doesn’t provide a serial number. This is a security measure to limit devices that cannot be uniquely identified to connect only via a specific port. This makes it harder to bypass the policy since the real device will occupy the allowed USB port most of the time.
- -t, –target <target>
- Generate an explicit "catch all" rule with the specified target. The target can be one of the following values: allow, block, reject
- -X, –no-hashes
- Don’t generate a hash attribute for each device.
- -H, –hash-only
- Generate a hash-only policy.
- -h, –help
- Show help.
~ ~ ~ ~
watch [OPTIONS]
Watch the IPC interface events and print them to stdout.
Available options:
- -h, –help
- Show help.
~ ~ ~ ~
read-descriptor [OPTIONS] <file>
Read a USB descriptor from a file and print it in human-readable form.
Available options:
- -h, –help
- Show help.
Examples
Creating an initial policy$ sudo usbguard generate-policy > rules.conf
$ vi rules.conf
(review/modify the rule set)
$ sudo install -m 0600 -o root -g root \
rules.conf /etc/usbguard/rules.conf