usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

Execute command on rule match

Open Sec42 opened this issue 8 years ago • 6 comments

I would like like to lock my screen on appearance of new HID devices. To make it more generic it would probably be good if usbguard would support to run a command/shell script on rule/device match.

Sec42 avatar Aug 12 '16 19:08 Sec42

Currently, you could write a piece of code that registers to the dbus events and runs any command. You have to write the code though…

genodeftest avatar Aug 13 '16 16:08 genodeftest

@Sec42 Hi! Implementing this feature at the rule language level is currently not a priority. However, as @genodeftest already said, there's a D-Bus interface and you can watch for the events from your session and execute scripts based on that. Checkout https://askubuntu.com/questions/150790/how-do-i-run-a-script-on-a-dbus-signal for a possible implementation via the dbus-monitor utility.

Another idea would be to modify the usbguard CLI to support this via the watch sub-command. This would be easy to implement. Let's see whether I manage to deliver this in 0.6.x.

dkopecek avatar Aug 13 '16 17:08 dkopecek

Maybe a timeout and then trigger a script.

elKaZe avatar Sep 13 '16 12:09 elKaZe

I think this'd be awesome, too. Upon authorizing a device, maybe running a command that maps certain devices to certain commands or maps certain devices to an autostart process that further process a config on the device.

For example:

  • cameras or thumbdrives used exclusively for images starting a sync process
  • backup devices automatically starting a backup process
  • webcams automatically starting a record process
  • certain thumbdrives automatically getting loaded with a bunch of recent news articles just by plugging the device in :)

dsoprea avatar Jun 24 '21 05:06 dsoprea

This article https://usbguard.github.io/blog/2015/USBGuard-vs-UDev says: "However, when there’s still something that should be performed using an external script, the rule language allows to specify an external script to be run." But I did not find any way of doing that in the rule language description. So how is this actually done? I want a rule that if a device is rejected and does not fit any of the allow rules, runs a script like this: reject if rule-applied /usr/bin/.../script.sh

Edit: I noticed the note at the end saying that scripts are not implemented yet. NOTE: Logging actions or executing of scripts is currently not implemented. However, it’s a feature planned to be completed in the first stable release, usbguard-1.0. Notification to desktop users can be displayed by the usbguard-applet-qt. Are you planning on implementing that?

Athwale avatar Jun 15 '22 17:06 Athwale

Any update on this?

Athwale avatar Feb 10 '24 15:02 Athwale