Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
hardware
usbguard
usbguard-daemon.conf
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File usbguard-daemon.conf of Package usbguard
# # Rule set file path. # # The USBGuard daemon will use this file to load the policy # rule set from it and to write new rules received via the # IPC interface. # # RuleFile=/path/to/rules.conf # RuleFile=/etc/usbguard/rules.conf # # Implicit policy target. # # How to treat devices that don't match any rule in the # policy. One of: # # * allow - authorize the device # * block - block the device # * reject - remove the device # ImplicitPolicyTarget=block # # Present device policy. # # How to treat devices that are already connected when the # daemon starts. One of: # # * allow - authorize every present device # * block - deauthorize every present device # * reject - remove every present device # * keep - just sync the internal state and leave it # * apply-policy - evaluate the ruleset for every present # device # PresentDevicePolicy=apply-policy # # Present controller policy. # # How to treat USB controllers that are already connected # when the daemon starts. One of: # # * allow - authorize every present device # * block - deauthorize every present device # * reject - remove every present device # * keep - just sync the internal state and leave it # * apply-policy - evaluate the ruleset for every present # device # PresentControllerPolicy=keep # # Inserted device policy. # # How to treat USB devices that are already connected # *after* the daemon starts. One of: # # * block - deauthorize every present device # * reject - remove every present device # * apply-policy - evaluate the ruleset for every present # device # InsertedDevicePolicy=apply-policy # # Restore controller device state. # # The USBGuard daemon modifies some attributes of controller # devices like the default authorization state of new child device # instances. Using this setting, you can controll whether the # daemon will try to restore the attribute values to the state # before modificaton on shutdown. # # SECURITY CONSIDERATIONS: If set to true, the USB authorization # policy could be bypassed by performing some sort of attack on the # daemon (via a local exploit or via a USB device) to make it shutdown # and restore to the operating-system default state (known to be permissive). # RestoreControllerDeviceState=false # # Device manager backend # # Which device manager backend implementation to use. One of: # # * uevent - Netlink based implementation which uses sysfs to scan for present # devices and an uevent netlink socket for receiving USB device # related events. # * umockdev - umockdev based device manager capable of simulating devices based # on umockdev-record files. Useful for testing. # DeviceManagerBackend=uevent #!!! WARNING: It's good practice to set at least one of the !!! #!!! two options bellow. If none of them are set, !!! #!!! the daemon will accept IPC connections from !!! #!!! anyone, thus allowing anyone to modify the !!! #!!! rule set and (de)authorize USB devices. !!! # # Users allowed to use the IPC interface. # # A space delimited list of usernames that the daemon will # accept IPC connections from. # # IPCAllowedUsers=username1 username2 ... # IPCAllowedUsers=root # # Groups allowed to use the IPC interface. # # A space delimited list of groupnames that the daemon will # accept IPC connections from. # # IPCAllowedGroups=groupname1 groupname2 ... # IPCAllowedGroups= # # IPC access control definition files path. # # The files at this location will be interpreted by the daemon # as access control definition files. The (base)name of a file # should be in the form: # # [user][:<group>] # # and should contain lines in the form: # # <section>=[privilege] ... # # This way each file defines who is able to connect to the IPC # bus and what privileges he has. # IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ # # Generate device specific rules including the "via-port" # attribute. # # This option modifies the behavior of the allowDevice # action. When instructed to generate a permanent rule, # the action can generate a port specific rule. Because # some systems have unstable port numbering, the generated # rule might not match the device after rebooting the system. # # If set to false, the generated rule will still contain # the "parent-hash" attribute which also defines an association # to the parent device. See usbguard-rules.conf(5) for more # details. # DeviceRulesWithPort=false # # USBGuard Audit events log backend # # One of: # # * FileAudit - Log audit events into a file specified by # AuditFilePath setting (see below) # * LinuxAudit - Log audit events using the Linux Audit # subsystem (using audit_log_user_message) # AuditBackend=FileAudit # # USBGuard audit events log file path. # AuditFilePath=/var/log/usbguard/usbguard-audit.log
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor