The best way to shield Linux in opposition to rogue USB gadgets utilizing USBGuard

April 9, 2023

78

The best way to shield Linux in opposition to rogue USB gadgets utilizing USBGuard

usbgurd

You deployed an ideal firewall and different community safety insurance policies stopping unauthorized entry to the person’s desktop pc over a community. Nonetheless, you continue to want to dam USB machine entry. We are able to configure a Linux desktop safety coverage to guard your pc in opposition to rogue USB gadgets (a.ok.a. BadUSB) by implementing important permit and blocklisting capabilities primarily based on machine attributes. For example, I can deﬁne what sort of USB gadgets are approved and the way a USB machine interacts with the Linux system. For instance, I can outline coverage permitting Yubikey with serial quantity “XYZ” and USB LTE modem with serial # “ABC.” Each different USB machine entry is denied by default.

Commercial

Putting in the USBGuard and different utilities

USBGuard solely works on Linux, and the next tutorial won’t work with different working programs resembling *BSD or macOS.

We have to set up USBGuard as follows as per your Linux distro model.

Debian/Ubuntu or Linux mint

Use the apt command or apt-get command on a Debian/Ubuntu or Linux mint:
$ sudo apt set up usbguard usbutils udisks2

[sudo] password for vivek: 
Studying package deal lists... Executed
Constructing dependency tree       
Studying state info... Executed
usbutils is already the latest model (1:012-2).
udisks2 is already the latest model (2.8.4-1ubuntu2).
The next packages had been routinely put in and are not required:
  linux-headers-5.4.0-84 linux-headers-5.4.0-84-generic linux-image-5.4.0-84-generic linux-modules-5.4.0-84-generic linux-modules-extra-5.4.0-84-generic
Use 'sudo apt autoremove' to take away them.
The next extra packages might be put in:
  libqb0 libumockdev0 libusbguard0
The next NEW packages might be put in:
  libqb0 libumockdev0 libusbguard0 usbguard
0 upgraded, 4 newly put in, 0 to take away and 4 not upgraded.
Have to get 580 kB of archives.
After this operation, 2,131 kB of extra disk area might be used.
Do you need to proceed? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu focal/important amd64 libqb0 amd64 1.0.5-1 [63.9 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 libumockdev0 amd64 0.14.1-1ubuntu0.1 [34.2 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal/universe amd64 libusbguard0 amd64 0.7.6+ds-1build1 [350 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal/universe amd64 usbguard amd64 0.7.6+ds-1build1 [132 kB]
Fetched 580 kB in 3s (229 kB/s)   
Choosing beforehand unselected package deal libqb0:amd64.
(Studying database ... 419085 information and directories presently put in.)
Getting ready to unpack .../libqb0_1.0.5-1_amd64.deb ...
Unpacking libqb0:amd64 (1.0.5-1) ...
Choosing beforehand unselected package deal libumockdev0:amd64.
Getting ready to unpack .../libumockdev0_0.14.1-1ubuntu0.1_amd64.deb ...
Unpacking libumockdev0:amd64 (0.14.1-1ubuntu0.1) ...
Choosing beforehand unselected package deal libusbguard0.
Getting ready to unpack .../libusbguard0_0.7.6+ds-1build1_amd64.deb ...
Unpacking libusbguard0 (0.7.6+ds-1build1) ...
Choosing beforehand unselected package deal usbguard.
Getting ready to unpack .../usbguard_0.7.6+ds-1build1_amd64.deb ...
Unpacking usbguard (0.7.6+ds-1build1) ...
Establishing libqb0:amd64 (1.0.5-1) ...
Establishing libumockdev0:amd64 (0.14.1-1ubuntu0.1) ...
Establishing libusbguard0 (0.7.6+ds-1build1) ...
Establishing usbguard (0.7.6+ds-1build1) ...
Created symlink /and so on/systemd/system/dbus-org.usbguard.service → /lib/systemd/system/usbguard-dbus.service.
Created symlink /and so on/systemd/system/multi-user.goal.desires/usbguard-dbus.service → /lib/systemd/system/usbguard-dbus.service.
Created symlink /and so on/systemd/system/primary.goal.desires/usbguard.service → /lib/systemd/system/usbguard.service.
Processing triggers for systemd (245.4-4ubuntu3.13) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for dbus (1.12.16-2ubuntu2.1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.3) ...

Fedora or RHEL and pals

For Fedora, RHEL and clone use the dnf command:
$ sudo dnf set up usbguard usbutils udisks2

Use dnf to install usbguard, usbutils, and udisks2 packages on RHEL, Fedora and Friends

Putting in USBGuard on RHEL or Fedora Linux (click on to enlarge)

SUSE/OpenSUSE Linux

SUSE Enterprise Linux or OpenSUSE Linux person strive the zypper command as follows:
$ sudo zypper in usbguard usbutils udisks2 usbguard-tools

Loading repository knowledge...
Studying put in packages...
Resolving package deal dependencies...
 
The next 5 NEW packages are going to be put in:
  udisks2 udisks2-lang usbguard usbguard-tools usbutils
 
The next advisable package deal was routinely chosen:
  udisks2-lang
 
5 new packages to put in.
Total obtain measurement: 725.3 KiB. Already cached: 0 B. After the operation,
extra 3.0 MiB might be used.
Proceed? [y/n/v/...? shows all options] (y): y
Retrieving package deal udisks2-2.8.1-1.39.x86_64
                                         (1/5), 261.9 KiB (929.5 KiB unpacked)
Retrieving: udisks2-2.8.1-1.39.x86_64.rpm ..............................[done]
Retrieving package deal usbguard-0.7.8-bp153.1.19.x86_64
                                         (2/5), 122.1 KiB (314.0 KiB unpacked)
Retrieving: usbguard-0.7.8-bp153.1.19.x86_64.rpm .......................[done]
Retrieving package deal udisks2-lang-2.8.1-1.39.noarch
                                         (3/5), 163.3 KiB (  1.2 MiB unpacked)
Retrieving: udisks2-lang-2.8.1-1.39.noarch.rpm .........................[done]
Retrieving package deal usbguard-tools-0.7.8-bp153.1.19.x86_64
                                         (4/5),  66.1 KiB (179.7 KiB unpacked)
Retrieving: usbguard-tools-0.7.8-bp153.1.19.x86_64.rpm .................[done]
Retrieving package deal usbutils-014-3.3.1.x86_64
                                         (5/5), 111.9 KiB (362.2 KiB unpacked)
Retrieving: usbutils-014-3.3.1.x86_64.rpm ..............................[done]
 
Checking for file conflicts: ...........................................[done]
(1/5) Putting in: udisks2-2.8.1-1.39.x86_64 ............................[done]
(2/5) Putting in: usbguard-0.7.8-bp153.1.19.x86_64 .....................[done]
(3/5) Putting in: udisks2-lang-2.8.1-1.39.noarch .......................[done]
(4/5) Putting in: usbguard-tools-0.7.8-bp153.1.19.x86_64 ...............[done]
(5/5) Putting in: usbutils-014-3.3.1.x86_64 ............................[done]

Controlling the usbguard service

Use the systemctl command to configure the usbguard service at boot time or restart it whenever you apply new coverage. The syntax is:
$ sudo systemctl allow usbguard.service --now $ sudo systemctl begin usbguard.service $ sudo systemctl cease usbguard.service $ sudo systemctl restart usbguard.service $ sudo systemctl standing usbguard.service

The usbguard service will persist across reboots and finding the current status using the systemctl command on Linux (click to enlarge)

The usbguard service will persist throughout reboots and discovering the present standing utilizing the systemctl command on Linux (click on to enlarge)

Itemizing present USB gadgets

Use the lsusb command or usb-devices command for displaying details about USB buses within the system and the gadgets related to them. For instance:
$ lsusb $ usb-devices | much less

lsusb in motion on my ThinkPad laptop computer (click on to enlarge)

Need a graphical abstract of USB gadgets related to the system? Strive:
$ sudo usbview

How to protect Linux against rogue USB devices using USBGuard

usbview GUI in motion (click on to enlarge)

Viewing USBGuard guidelines

Subsequent cd into /and so on/usbguard listing as the basis person. So login as the basis person:
$ sudo -i ### OR ### $ su -
Record information and search for guidelines.conf file:
$ ls -l

whole 16
drwxr-xr-x. 2 root root 4096 Mar 31 13:32 IPCAccessControl.d
-rw-------. 1 root root    0 Mar 31 13:32 guidelines.conf
drwxr-xr-x. 2 root root 4096 Mar 31 13:32 guidelines.d
-rw-------. 1 root root 5366 Mar 31 12:57 usbguard-daemon.conf

Rule sorts:

There are three kinds of goal guidelines for every USB machine:

permit – Authorize the USB machine.
block – Don’t authorize the USB machine, however the system can nonetheless see (seen) the machine utilizing the lsusb command. Nonetheless, customers cannot use the USB machine because it stays blocked till the sysadmin authorizes it. (block the machine)
reject – Don’t authorize the USB machine, and the machine shouldn’t be seen to the system or customers. The USB machine must be re-inserted once more to grow to be seen once more. (reject the machine)

Understanding /and so on/usbguard/usbguard-daemon.conf

The usbguard service reads its default and choices from a file named /and so on/usbguard/usbguard-daemon.conf:
$ sudo much less /and so on/usbguard/usbguard-daemon.conf $ sudo grep -vE '^#|^$' /and so on/usbguard/usbguard-daemon.conf
Outputs:

RuleFile=/and so on/usbguard/guidelines.conf
ImplicitPolicyTarget=block
PresentDevicePolicy=apply-policy
PresentControllerPolicy=preserve
InsertedDevicePolicy=apply-policy
AuthorizedDefault=none
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=root plugdev
IPCAccessControlFiles=/and so on/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=FileAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log

USBGuard daemon configuration file
Choices	Description
`RuleFile=path`	The USBGuard daemon will use this file to load the coverage rule set from it and to write down new guidelines obtained through the IPC interface.
`ImplicitPolicyTarget=goal`	The best way to deal with USB gadgets that don’t match any rule within the coverage. Goal ought to be one in every of permit, block or reject (logically take away the machine node from the system).
`PresentDevicePolicy=coverage`	The best way to deal with USB gadgets which are already related when the daemon begins. Coverage ought to be one in every of permit, block, reject, preserve (preserve no matter state the machine is presently in) or apply-policy (consider the rule set for each current machine).
`PresentControllerPolicy=coverage`	The best way to deal with USB controller gadgets which are already related when the daemon begins. Certainly one of permit, block, reject, preserve or apply-policy.
`InsertedDevicePolicy=coverage`	The best way to deal with USB gadgets which are already related after the daemon begins. Certainly one of block, reject, apply-policy.
`RestoreControllerDeviceState=boolean`	The USBGuard daemon modifies some attributes of controller gadgets just like the default authorization state of recent youngster machine situations. Utilizing this setting, you’ll be able to management whether or not the daemon will attempt to restore the attribute values to the state earlier than modification on shutdown.
`DeviceManagerBackend=backend`	Which machine supervisor backend implementation to make use of. Backend ought to be one in every of uevent (default) or umockdev.
`IPCAllowedUsers=username [username ...]`	An area delimited record of usernames that the daemon will settle for IPC connections from.
`IPCAllowedGroups=groupname [groupname ...]`	An area delimited record of groupnames that the daemon will settle for IPC connections from.
`IPCAccessControlFiles=path`	The information at this location might be interpreted by the daemon as IPC entry management definition information. See the IPC ACCESS CONTROL part for extra particulars.
`DeviceRulesWithPort=boolean`	Generate machine particular guidelines together with the “via-port” attribute.
`AuditBackend=backend`	USBGuard audit occasions log backend. The backend worth ought to be one in every of FileAudit or LinuxAudit.
`AuditFilePath=filepath`	USBGuard audit occasions log file path. Required if AuditBackend is about to FileAudit.

Making a base default coverage

Execute the next command if the principles.conf file is empty or when you want to set a brand new coverage.

Nearly all Linux distros ship with no guidelines. Therefore the file is empty. To generate a rule set (coverage) that authorizes the presently related USB gadgets, run:
$ sudo usbguard generate-policy -X >/and so on/usbguard/guidelines.conf

A word about setting catch all coverage

The default final rule ought to be both reject or block. For instance, generate a brand new base coverage with a reject rule goal, run:
$ sudo usbguard generate-policy -X -t block >/and so on/usbguard/guidelines.conf
OR
$ sudo usbguard generate-policy -X -t reject >/and so on/usbguard/guidelines.conf

The reject or block coverage as the bottom coverage is advisable as a result of:

It outlined a everlasting USBGuard coverage that enables a speciﬁc USB machine to work together with the Linux system.
In different phrases, presently, related gadgets are accepted, however USBGuard will block or reject any extra USB gadgets.

View it utilizing the extra/cat/much less command
$ sudo extra /house/pupil/guidelines.conf
Pattern outputs:

permit id 1d6b:0002 serial "0000:00:14.0" title "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
permit id 1d6b:0003 serial "0000:00:14.0" title "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
permit id 1d6b:0002 serial "0000:2c:00.0" title "xHCI Host Controller" hash "PwX8KDBTGiYfCyqnWn9KXV2puYMRc5J2oaMUcSSODtY=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type ""
permit id 1d6b:0003 serial "0000:2c:00.0" title "xHCI Host Controller" hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" parent-hash "pvCnfx3ZtzZduIZZbt74WeR01YZKEEkrJ0aOxulLMOA=" with-interface 09:00:00 with-connect-type ""
permit id 045e:082c serial "603378194521" title "Microsoft Ergonomic Keyboard" hash "/XFAtSRVsaZuf7PFiE9mvgEyRjrYL8NVMyDOqboFhrc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 03:01:01 03:00:00 } with-connect-type "hotplug"
permit id 2109:2813 serial "" title "USB2.0 Hub" hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface 09:00:00 with-connect-type "hotplug"
permit id 06cb:00bd serial "46b6e9623725" title "" hash "a9PN3kg0s7LvZgUVOnrGXSBaVPGD2RkCo/lm5dEjTRM=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:00:00 with-connect-type "not used"
permit id 2109:0813 serial "" title "USB3.0 Hub" hash "VXFbt2m/i5krELu+kCSJysCj+m3eetVv3nfC72o9ceg=" parent-hash "B2IRioS6Q505Wfk3rv9C5jLWo4iRtvS1rx0ZHSJGEl0=" via-port "4-2" with-interface 09:00:00 with-connect-type "hotplug"
permit id 8087:0029 serial "" title "" hash "ATK8pCmQtUYaUnwqUVuYssrOMkW8pdCSdZO4OC6zEtg=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-14" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used"
permit id 1a40:0101 serial "" title "USB 2.0 Hub" hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" parent-hash "TysTMKnN62ygTFPyigZ+0VmUsx067cMepEk76682Bo8=" via-port "1-7.4" with-interface 09:00:00 with-connect-type "unknown"
permit id 2109:0102 serial "0000000000000001" title "USB 2.0 BILLBOARD             " hash "9D+MQzO58xal2wcN4ROFKY33xyDuRLfAqDBlArhZi3M=" parent-hash "xe96rjr8V53Jw+g7q/yi0C1czVxatehiq7r4gn2dH6s=" with-interface 11:00:00 with-connect-type "unknown"

Record the rule set (coverage) utilized by the USBGuard daemon

Run:
$ sudo usbguard list-rules
Wish to present all gadgets that are affected by the particular rule? Strive:
$ sudo usbguard list-rules -d $ sudo usbguard list-rules --show-devices
We are able to additionally present guidelines having a particular label:
$ sudo usbguard list-rules -l {label_here} $ sudo usbguard list-rules --label
To record all USB gadgets acknowledged by the USBGuard daemon:
$ sudo usbguard list-devices $ sudo usbguard list-devices -a ## record allowed gadgets ## $ sudo usbguard list-devices -b ## record blocked gadgets ##

Testing USBGuard

I’m going to insert my USB 4G LTE modem and see whether it is blocked by default and run lsusb:
$ lsusb
Pattern outputs indicating that HUAWEI USB hooked up to USB port (Gadget 009: ID 12d1:157c) and visual to the system:

Bus 004 Gadget 002: ID 2109:0813 VIA Labs, Inc. USB3.0 Hub
Bus 004 Gadget 001: ID 1d6b:0003 Linux Basis 3.0 root hub
Bus 003 Gadget 001: ID 1d6b:0002 Linux Basis 2.0 root hub
Bus 002 Gadget 001: ID 1d6b:0003 Linux Basis 3.0 root hub
Bus 001 Gadget 004: ID 06cb:00bd Synaptics, Inc. 
Bus 001 Gadget 007: ID 2109:0102 VIA Labs, Inc. Microsoft Ergonomic Keyboard
Bus 001 Gadget 005: ID 1a40:0101 Terminus Expertise Inc. Hub
Bus 001 Gadget 003: ID 2109:2813 VIA Labs, Inc. USB2.0 Hub
Bus 001 Gadget 009: ID 12d1:157c Huawei Applied sciences Co., Ltd. HUAWEI_MOBILE
Bus 001 Gadget 006: ID 8087:0029 Intel Corp. 
Bus 001 Gadget 002: ID 045e:082c Microsoft Corp. Microsoft Ergonomic Keyboard
Bus 001 Gadget 001: ID 1d6b:0002 Linux Basis 2.0 root hub

Nonetheless, this machine is blocked by USBGuard. You will note kernel messages indicating that the HUAWEI USB machine shouldn’t be approved for utilization as follows:
$ sudo dmesg $ sudo dmesg | grep -i 'approved'
Pattern outputs indicating that by default USBGuard blocked USB modem:

[87467.670280] usb 1-2: new high-speed USB machine quantity 8 utilizing xhci_hcd
[87467.820572] usb 1-2: New USB machine discovered, idVendor=12d1, idProduct=157c, bcdDevice= 1.02
[87467.820578] usb 1-2: New USB machine strings: Mfr=1, Product=2, SerialNumber=3
[87467.820581] usb 1-2: Product: HUAWEI_MOBILE
[87467.820584] usb 1-2: Producer: HUAWEI_MOBILE
[87467.820587] usb 1-2: SerialNumber: 0123456789ABCDEF
[87467.820928] usb 1-2: Gadget shouldn't be approved for utilization
[87477.196260] usb 1-2: USB disconnect, machine quantity 8
[87477.682044] usb 1-2: new high-speed USB machine quantity 9 utilizing xhci_hcd
[87477.831578] usb 1-2: New USB machine discovered, idVendor=12d1, idProduct=157c, bcdDevice= 1.02
[87477.831583] usb 1-2: New USB machine strings: Mfr=1, Product=2, SerialNumber=3
[87477.831587] usb 1-2: Product: HUAWEI_MOBILE
[87477.831590] usb 1-2: Producer: HUAWEI_MOBILE
[87477.831593] usb 1-2: SerialNumber: 0123456789ABCDEF
[87477.831931] usb 1-2: Gadget shouldn't be approved for utilization

We are able to use the next command to view blocked USB gadgets:
$ sudo usbguard list-devices -b
Outputs:

24: block id 12d1:157c serial "0123456789ABCDEF" title "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"

The place the goal coverage of block is as follows:

24 – Gadget quantity
block id 12d1:157c – USB machine ID
serial "0123456789ABCDEF" – USB machine serial quantity
title "HUAWEI_MOBILE" – USB machine title

The USB machine quantity is generated dynamically and might be completely different in your Linux system.

Permitting entry to USB gadgets quickly

By default, we all know that USBGuard blocks the hooked up USB machine and can stay barred perpetually. It means USB-based assaults are blocked. However, what if I wished to present entry respectable USB machine? Strive the next command that adjustments block coverage to permit utilizing machine # 24 with machine block ID 12d1:157c:
$ sudo usbguard allow-device {device_ID} $ sudo usbguard allow-device 24
I also can use rule as follows:
$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"' $ sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"'

Everlasting rule

We are able to make the choice everlasting. A tool particular permit rule might be appended to the present coverage:
$ sudo usbguard allow-device {device_ID} -p $ sudo usbguard allow-device 24 -p
Rule as a substitute of ID:
$ sudo usbguard allow-device '12d1:157c serial "0123456789ABCDEF"' -p sudo usbguard allow-device '12d1:1506 serial "0123456789ABCDEF"' -p
Listed here are my guidelines added to the principles.conf utilizing a textual content editor:
$ sudo /and so on/usbguard/guidelines.conf
Append the next

permit id 12d1:157c serial "0123456789ABCDEF" title "HUAWEI_MOBILE" hash "8tSOgfYNylANtACo0ysV5qRAx5Ht+geWMd+QOVNcK70=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { 08:06:50 02:0e:00 0a:00:02 0a:00:02 08:06:50 } with-connect-type "hotplug"
permit id 12d1:1506 serial "" title "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"

Save and shut the file. Restart the service:
$ sudo systemctl restart usbguard.service

Verification

The USBGurad will give USB machine entry instantly as soon as the rule is added. Now I can connect with the Web utilizing the USB LTE modem or view USD disk:
udisksctl standing

MODEL                     REVISION  SERIAL               DEVICE
--------------------------------------------------------------------------
SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7  xyzfooooooooo1       nvme0n1 
SAMSUNG MZVLB1T0HBLR-000L7 5M2QEXF7  xyzfooooooooo2       nvme1n1 
HUAWEI TF CARD Storage    2.31      HUAWEI_TF_CARD_Storage-0:0 sda     
HUAWEI Mass Storage       2.31      HUAWEI_Mass_Storage-0:0 sr0

No extra errors too:
$ sudo dmesg
And sure, my nmcli or community supervisor related to the Web utilizing a USB LTE modem too. Right here is output from the ip command and nmcli command:
$ nmcli machine standing $ nmcli machine present ttyUSB0 $ ip a s | extra $ ip a s wwx001e101f0000

USB LTE allowed and protect Linux against rogue USB devices using USBGuard

I allowed USB LTE modem and disk entry utilizing the USBGuard (click on to enlarge)

Eradicating USB machine

To take away a rule recognized by the rule id from the rule set, run
$ sudo usbguard list-devices -a # record guidelines #
Notice down the ID # 27. For instance:

27: permit id 12d1:1506 serial "" title "HUAWEI_MOBILE" hash "1lr2516yYIsSGGyDZrcgBBNJPlzzthtHbpH1SN5E/VA=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-2" with-interface { ff:02:12 ff:02:01 ff:02:16 ff:02:16 08:06:50 08:06:50 } with-connect-type "hotplug"

Then:
$ usbguard block-device {ID_HERE} -p $ sudo usbguard block-device 27 -p
The above will deauthorize machine with ID # 27. However we are able to use the rule too:
$ usbguard block-device {RULE} -p $ sudo usbguard block-device '12d1:157c serial "0123456789ABCDEF"' -p $ sudo usbguard block-device '12d1:1506 serial "0123456789ABCDEF"' -p
After all, you’ll be able to edit the config file:
$ sudo /and so on/usbguard/guidelines.conf
Then take away the entry for the USB machine after which restart the service:
$ sudo systemctl restart usbguard.service $ sudo systemctl standing usbguard.service

Troubleshooting suggestions

If you’re a brand new Linux developer or sysadmin, chances are you’ll discover configuration a bit of difficult. Strive the next instructions to view and clear up points:

Can the system view my USB machine?

$ lsusb $ sudo usbguard watch

Is the USB machine blocked or allowed?

$ sudo usbguard list-rules $ sudo usbguard list-devices -b # blocked # $ sudo usbguard list-devices -a # allowed #

Examine system logs

$ sudo dmesg $ sudo dmesg | extra $ sudo journalctl -b -e $ sudo journalctl -b -e -u usbguard.service $ sudo cat /var/log/usbguard/usbguard-audit.log $ sudo tail -f /var/log/usbguard/usbguard-audit.log

Different instruments releated to USB

$ nmcli $ nmcli machine standing # usb community # $ ip a s # networking # $ lsblk # usb block machine # $ udisksctl standing

Getting assist

Run:
$ usbguard -h $ usbguard {sub-command} -h $ usbguard list-devices -h
Here’s what I see

 Utilization: usbguard [OPTIONS] <command> [COMMAND OPTIONS] ...
 
 Choices:
 
 Instructions:
  get-parameter <title>           Get the worth of a runtime parameter.
  set-parameter <title> <worth>   Set the worth of a runtime parameter.
  list-devices                   Record all USB gadgets acknowledged by the USBGuard daemon.
  allow-device <id>              Authorize a tool to work together with the system.
  block-device <id>              Deauthorize a tool.
  reject-device <id>             Deauthorize and take away a tool from the system.
 
  list-rules                     Record the rule set (coverage) utilized by the USBGuard daemon.
  append-rule <rule>             Append a rule to the rule set.
  remove-rule <id>               Take away a rule from the rule set.
 
  generate-policy                Generate a rule set (coverage) primarily based on the related USB gadgets.
  watch                          Look ahead to IPC interface occasions and print them to stdout.
  read-descriptor                Learn a USB descriptor from a file and print it in human-readable type.
 
  add-user <title>                Add USBGuard IPC person/group (requires root privilges)
  remove-user <title>             Take away USBGuard IPC person/group (requires root privileges)

Summing up

This information defined learn how to use USBGuard that protects your Linux desktop or server in opposition to rogue USB gadgets by implementing permit itemizing and blocklisting guidelines primarily based upon attributes resembling USB machine ID and serial quantity. The usbguard service runs within the background and relies upon guidelines, and it’ll permit or block entry to a USB machine. The usbguard command is used to handle the USB machine authorization guidelines and debug issues too.

References

Please see the next man pages utilizing the man command:
$ man lsusb $ man usbview $ man usb-devices $ man usbguard $ man usbguard-daemon