Translation(s): none yet
USBGuard is available on Debian to block/authorize USB devices on your hosts. According to its documentation:
- USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system). Simply put, it is a USB device whitelisting tool.
![/!\](/htdocs/debwiki/img/alert.png "/!\"){kind=small}
Warning: USBGuard might block all USB devices on first installation or upgrade. If you have only USB keyboards you might be locked out of your system.
Warning: It can also leave devices flagged as unauthorized on removal.
Installation
Usually you'll want to install the graphical notifier usbguard-notifier along usbguard:
apt install usbguard usbguard-notifier
The notifier will need a restart of the GUI.
Default configuration
From DebianBullseye, when installing USBGuard, the daemon will be automatically started. All currently connected devices will be allowed to be used. When inserting a new device, if this device is not defined in the rules, it will be blocked.
Audit
Use the usual tools (service, journalctl, etc) and locations (/etc/sbguard) to manage the usbguard deamon.
Manual recovery
To authorize all connected devices:
for d in /sys/bus/usb/devices/*/authorized; do echo 1 > $d; done
Documentation
There are Debian man pages for usbguard, usbguard-notifier, and its CLI.