usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard

Published 20 hours ago verified publisher icon USBGuard

Feature Request: Built-in Shutdown Option for Unauthorized USB Devices

Open nickt28 opened this issue 7 months ago • 0 comments

It would be beneficial to have a built-in option to automatically shut down the system when an unauthorized USB device is detected. This feature would:

  • Make LUKS encryption more secure, as the data remains decrypted in memory as long as the system is on and has been unlocked at least once, even if the screen is locked.
  • Protect against USB wigglers, which can keep your device unlocked without your realization.
  • In extreme cases, if your device is stolen while unlocked, shutting down the system when a USB device is attached will safeguard your data.

While this can be achieved through scripts, having it as a native feature would improve ease of use and performance. For someone not deeply familiar with Linux systems, there must be many optimizations to improve this workaround.

Guide for my current workaround

#!/bin/bash

LOG_FILE="/var/log/usbguard_events.log"

# Ensure the script has permission to write to the log file
touch "$LOG_FILE"
chmod 644 "$LOG_FILE"

shutdown_flag=false

# Log the PolicyApplied USB-related event details
if [ "$USBGUARD_IPC_SIGNAL" == "Device.PolicyApplied" ]; then
    {
        echo "--- New Device Policy Applied: $(date '+%Y-%m-%d %H:%M:%S') ---"
        echo "Device ID: $USBGUARD_DEVICE_ID"
        echo "Device Rule: $USBGUARD_DEVICE_RULE"
        echo "Device Target: $USBGUARD_DEVICE_TARGET_NEW"

        if [ "$USBGUARD_DEVICE_TARGET_NEW" == "block" ]; then
            shutdown_flag=true
        fi

        echo "----------------------------------------"
    } >> "$LOG_FILE"

    if $shutdown_flag; then
        echo "Initiating shutdown due to blocked USB device..."
        sudo shutdown -h now
    fi
fi
  1. Save it to a file, for example /usr/local/bin/usbguard_logger.sh
  2. Make it executable: sudo chmod +x /usr/local/bin/usbguard_logger.sh

Create service pipe - /etc/systemd/system/usbguard-logger.service

  1. Create a systemd service file: sudo nano /etc/systemd/system/usbguard-logger.service
  2. Add code
[Unit]
Description=USBGuard Logger Service
After=usbguard.service
Wants=usbguard.service

[Service]
ExecStart=/usr/local/bin/usbguard watch --exec /usr/local/bin/usbguard_logger.sh
Restart=always
User=root

[Install]
WantedBy=multi-user.target
  1. Save and exit the editor (in nano, press Ctrl+X, then Y, then Enter).
  2. Reload the systemd manager configuration sudo systemctl daemon-reload
  3. Enable the service to start on boot sudo systemctl enable usbguard-logger.service
  4. Start the service sudo systemctl start usbguard-logger.service
  5. Check the status of the service: sudo systemctl status usbguard-logger.service

Summary

  • watch script - /usr/local/bin/usbguard_logger.sh
  • service pipe - /etc/systemd/system/usbguard-logger.service
  • event logs - /var/log/usbguard_events.log
  • service logs - sudo journalctl -u usbguard-logger.service -f

nickt28 avatar Jul 07 '24 07:07 nickt28