Kernel-Level USB Security with USBGuard.

USB devices are everywhere: Keyboards, mice, USB drives, cameras, and more.
But they also represent a security risk. Malicious devices can exploit vulnerabilities, steal data, or install malware.

This is where USBGuard comes in. USBGuard is a Linux-based framework that enforces USB device authorization policies by blocking devices at the kernel level—the core of the OS—making it highly effective because unauthorized devices are stopped before they can interact with the system. It’s ideal for servers, workstations, and laptops where security is critical.

What is USBGuard?

USBGuard consists of:

1. A policy engine – decides whether a USB device is allowed or blocked.
2. A daemon (usbguard) – continuously monitors USB devices.
3. Command-line tools – to list, allow, block, or modify device permissions.

Key idea: Instead of relying on device names or vendor IDs alone, USBGuard identifies devices using device attributes (like vendor ID, product ID, serial number, and device class) and cryptographic identifiers (hashes of these attributes to uniquely recognize a device and prevent spoofing).

Pros and Cons

Pros

• Blocks unauthorized USB devices by default (protects against malware).
• Fine-grained control: allow/deny by vendor ID, serial number, device type.
• Persistent rules: devices can be remembered across reboots.
• Logs all USB events for auditing.
• Lightweight, runs in the background.

Cons

• Can be tricky to configure initially.
• Mistakes in rules can lock you out of your own devices.
• Some devices (like USB hubs or multi-function devices) might need extra configuration.
• May interfere with plug-and-play devices if not properly set.

Default Behavior

By default:

• Most distributions configure USBGuard to block all devices until explicitly allowed.
• A rule file exists at /etc/usbguard/rules.conf.
• The daemon (usbguard-daemon) runs at boot, monitoring all USB devices.

This means if you plug in a USB drive, it will not mount or work until authorized.

Installation (Ubuntu / Debian)

$ sudo apt update

$ sudo apt install usbguard

Enable and start the daemon:

$ sudo systemctl enable usbguard

$ sudo systemctl start usbguard

Check status:

$ sudo systemctl status usbguard

Listing Devices

To see connected USB devices:

$ sudo usbguard list-devices

Output example:

24: allow id 152d:2329 serial "080103D0410D" name "USB to ATA/ATAPI Bridge" hash "j4FXRKtCJEXeYzTznTLtRhgHqcYnh49sMl2Y97s7kqE=" parent-hash "hhOE+mSxdhKLzlHZmBJe2GAe+R4umNk6kQMfuQYgCks=" via-port "4-2" with-interface 08:06:50 with-connect-type "unknown"
25: allow id 0781:5583 serial "05012c4544a609137eac895dac47d485efddc00271e9de4066ee8601e92ce9a1bbad000000000000000000008e1cebfdff9a0d10835581072cae0d47" name " SanDisk 3.2Gen1" hash "cxFC8Osvh2Ga7nR9BczfVR3OFBtv08/IXHO3A3NNK8U=" parent-hash "S3BR58SLkicpDcYivqGkqCA+Y4FHJ4f6SzulAR0CAL0=" via-port "5-1" with-interface 08:06:50 with-connect-type "unknown"
26: block id 058f:6387 serial "F50D08CD" name "Mass Storage" hash "JD6O9dTKzs0Dp4E7rhISANu9Hq+qWmYvAOdQQXHmoFE=" parent-hash "7HWpCw4+KHwkiXqHpS85CRHIigu1iqpER1t5GWjAiI0=" via-port "2-1" with-interface 08:06:50 with-connect-type "unknown
...
..
.

Here, the block/allow status is displayed alongside vendor:product ID.

• The long ID is a hash representing the specific device.
• If someone plugs in a fake device with the same model but a different serial number, it won't match the rule.

Allowing a Device

You can allow a device temporarily:

$ sudo usbguard allow-device 4C530001070320117223
or
$ sudo usbguard allow-device 31

Or permanently (adds it to rules):

$ sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf

$ sudo systemctl restart usbguard

• sudo tee writes to the file with root privileges.
• This scans all currently connected devices and generates a policy file allowing only those devices.
• New devices will remain blocked until explicitly added.
  
  

Making a USB Drive Persistent (upon reboot)

For a USB drive (like for portable files or Docker containers):

1. Plug the USB drive in.
2. Get its device ID:

$ sudo usbguard list-devices

You'll see output like:

...
..
.
30: allow id 1d6b:0002 serial "0000:00:14.0" name "Linux SNBmonkey hub"
31: block id 0781:5581 serial "4C530001070320117223" name "SanDisk SNUBmonkey"

The line for your drive shows:

• device ID → 0781🕔581
• serial → "4C530001070320117223"
• name → "SanDisk SNBmonkey"
• Take note of that serial number and vendor:product ID.

Allow the Device (Temporarily)

Run:

$ sudo usbguard allow-device 31

• Replace 31 with the correct device number.

*This adds a temporary rule to memory (not persistent yet).

Export Current Rules to a File

Save the current runtime policy to disk:

$ sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf

That will overwrite the rules file with the current set of allowed/blocked devices, including your flash drive.

This is the step that makes it persistent upon reboot !!!

Reload the Policy

$ sudo systemctl reload usbguard

Or restart the service:

$ sudo systemctl restart usbguard

Now your drive will be automatically allowed next time it's inserted or after a reboot.

Optional — Manual Rule Example

If you prefer, you can manually add a rule like:

allow id 0781:5581 serial "4C530001070320117223" name "SanDisk SNUBmonkey" with-interface equals { 08:*:* }

Then save it into /etc/usbguard/rules.conf.

Make Sure Service Is Enabled

Finally:

$ sudo systemctl enable usbguard

$ sudo systemctl start usbguard

Now usbguard will load your persistent rules at every boot.

Verify After Reboot

After reboot, check:

$ sudo usbguard list-devices

Your USB drive should appear as "allowed" automatically.

Remove a USB device

USBGuard does not "remember" deleted devices automatically.
Removing the rule stops it from being allowed.

1. Check current rules

sudo usbguard list-devices

Look for the device with ID ie. 058f:6387 you want to remove.

2. Remove the rule

USBGuard rules are stored in /etc/usbguard/rules.conf. Open it:

sudo nano /etc/usbguard/rules.conf

• Search for the line containing the ID to be removed.
• Delete that line completely (or comment it with #)

3. Apply changes

After editing:

sudo systemctl restart usbguard

4. Verify

sudo usbguard list-devices

• The device ie. 058f:6387 should no longer appear as allowed.
• If you plug it in again, USBGuard should block it automatically.
  
  

Labelling

Yes, USBGuard can store a human-readable comment/label for each device in its rules, which helps you recognize devices easily without relying only on cryptographic IDs or serial numbers.

1. Adding a label via the rules.conf file:

allow id 8:abcd1234:ef567890 # BackupUSB_1

• The part after # is a comment/label.
• This does not affect authorization, it’s purely for human readability.
• Useful for remembering which device corresponds to which USB, especially if you have multiple persistent devices.

2. Adding a label while allowing a device:

$ sudo usbguard allow-device <device-id> --permanent --comment "BackupUSB_2"

• The comment appears in /etc/usbguard/rules.conf.
• Makes managing multiple persistent devices much easier.

Best Practices from SNUBmonkey!

• Backup rules.conf before making changes.
• Use permanent allow rules only for trusted devices.
• Test devices with allow-device --temp first.
• Enable logging:

$ sudo usbguard list-devices --verbose

$sudo journalctl -u usbguard

• For high-security setups, consider prompt mode instead of auto-allow.

USBGuard is a powerful security tool that allows
sys. admins to take full control over USB device access. By default, it blocks everything, which protects against malicious devices. With careful rule management, you can make essential devices like your USB drives persistent and safe, while keeping unknown devices blocked.

We hope this guide helps you secure and manage your USB devices with confidence!
Happy tweaking! 🚀