Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Built-in Shutdown Option for Unauthorized USB Devices #633

Open
nickt28 opened this issue Jul 7, 2024 · 0 comments
Open

Feature Request: Built-in Shutdown Option for Unauthorized USB Devices #633

nickt28 opened this issue Jul 7, 2024 · 0 comments

Comments

@nickt28
Copy link

nickt28 commented Jul 7, 2024

It would be beneficial to have a built-in option to automatically shut down the system when an unauthorized USB device is detected. This feature would:

  • Make LUKS encryption more secure, as the data remains decrypted in memory as long as the system is on and has been unlocked at least once, even if the screen is locked.
  • Protect against USB wigglers, which can keep your device unlocked without your realization.
  • In extreme cases, if your device is stolen while unlocked, shutting down the system when a USB device is attached will safeguard your data.

While this can be achieved through scripts, having it as a native feature would improve ease of use and performance. For someone not deeply familiar with Linux systems, there must be many optimizations to improve this workaround.

Guide for my current workaround

#!/bin/bash

LOG_FILE="/var/log/usbguard_events.log"

# Ensure the script has permission to write to the log file
touch "$LOG_FILE"
chmod 644 "$LOG_FILE"

shutdown_flag=false

# Log the PolicyApplied USB-related event details
if [ "$USBGUARD_IPC_SIGNAL" == "Device.PolicyApplied" ]; then
    {
        echo "--- New Device Policy Applied: $(date '+%Y-%m-%d %H:%M:%S') ---"
        echo "Device ID: $USBGUARD_DEVICE_ID"
        echo "Device Rule: $USBGUARD_DEVICE_RULE"
        echo "Device Target: $USBGUARD_DEVICE_TARGET_NEW"

        if [ "$USBGUARD_DEVICE_TARGET_NEW" == "block" ]; then
            shutdown_flag=true
        fi

        echo "----------------------------------------"
    } >> "$LOG_FILE"

    if $shutdown_flag; then
        echo "Initiating shutdown due to blocked USB device..."
        sudo shutdown -h now
    fi
fi
  1. Save it to a file, for example /usr/local/bin/usbguard_logger.sh
  2. Make it executable: sudo chmod +x /usr/local/bin/usbguard_logger.sh

Create service pipe - /etc/systemd/system/usbguard-logger.service

  1. Create a systemd service file:
    sudo nano /etc/systemd/system/usbguard-logger.service
  2. Add code
[Unit]
Description=USBGuard Logger Service
After=usbguard.service
Wants=usbguard.service

[Service]
ExecStart=/usr/local/bin/usbguard watch --exec /usr/local/bin/usbguard_logger.sh
Restart=always
User=root

[Install]
WantedBy=multi-user.target
  1. Save and exit the editor (in nano, press Ctrl+X, then Y, then Enter).
  2. Reload the systemd manager configuration sudo systemctl daemon-reload
  3. Enable the service to start on boot sudo systemctl enable usbguard-logger.service
  4. Start the service sudo systemctl start usbguard-logger.service
  5. Check the status of the service: sudo systemctl status usbguard-logger.service

Summary

  • watch script - /usr/local/bin/usbguard_logger.sh
  • service pipe - /etc/systemd/system/usbguard-logger.service
  • event logs - /var/log/usbguard_events.log
  • service logs - sudo journalctl -u usbguard-logger.service -f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nickt28