security-misc
security-misc copied to clipboard
Kicksecure
USB Guard | Depend on it and configure rules
We should depend on usbguard as a package. When installed on debian, usb guard settings are configured in a way that all devices are rejected, only those that were already plugged in before the daemon starts are allowed.
Normally this is not optimal. We should by default reject everything and only whitelist the devices that we know and trust. But this requires configuration at the user end. So for now, we better leave the debian config as is.
We also add new rules with our config file. These rules do not configure the daemon. They define how the daemon behaves when it is 'applying policy'. The policy is by default blocking everything. We slacken this by allowing devices with mass storage interface, so the users can plug in their external hard drives and usb's. Then we blacklist especially suspicuous storage devices. Those that try to also behave like a keyboard at the same time for example.
Normally this is also not optimal, but it is a big improvement. We don't allow anything else. That means everything else is implicitly blocked. If the user plugs in a keyboard or mouse or anything else, it will be blocked. If these devices are plugged in when the machine starts up, they are allowed. This should not be too inconvenient for the user, because most peripherals are almost always already plugged in when the machine starts up. If not, they can be manually allowed or the system can be rebooted for the device to be allowed after having booted.
https://forums.whonix.org/t/usbguard-on-kicksecure-to-prevent-hardware-keyloggers-badusb/11988
If we don't depend on the package, there is very little sense in having configuration files installed for it. So which is it going to be, are you planning to drop all the various dependencies?
"Depends: usbguard" will be added in source code repository kicksecure-meta-packages. Maybe to kicksecure-cli-host-packages-recommended.
The config files are good to have here.
related:
- https://github.com/Kicksecure/security-misc#project-scope-of-application-specific-hardening
- https://github.com/Kicksecure/security-misc/issues/169
- https://github.com/Kicksecure/security-misc/issues/154
- please removed the
Depends: - please add a link to the source: https://usbguard.github.io/documentation/rule-language
- the following comment seems wrong.
## Allow all USB devices with mass storage interface
allow with-interface equals { 08:*:* }
This actually does something else as per documentation.
This policy will block any device that isn’t just a mass storage device. Devices with a hidden keyboard interface in a USB flash disk will be blocked. Only devices with a single mass storage interface will be allowed to interact with the operating system.
Best to copy this verbatim?
- Where did you find the following one?
reject with-interface all-of { 08:*:* 0a:*:* }
Where did you find the following one?
The rules aren't necessarily taken from a source. Some of them I wrote myself. It means: reject a device, that presents itself as a mass stroage device, and a CDC data device, at the same time.
Class codes for different interfaces can be looked up easily here.