You plug USB in computer, you think it is safe, but no, it can hack you very fast. There is bad thing called BadUSB. It look like normal flash drive but inside it is very evil. It tell your computer “hey I am keyboard” and then it type super fast commands to steal your files or install virus. Normal antivirus cannot see this because it think you are typing with your own hands. This is why we must use USBGuard software. It is daemon that block every USB until we say it is okay. This guide help you install it and fix the stupid SELinux error that always break it. We will do this step by step so you do not lock your own keyboard.
USBGuard is like security guard for your USB ports. When you plug something new, USBGuard stop it and ask “who are you?”. If the device has permission in the rules, it can work. If not, it just sit there doing nothing at all. It use a policy file located at /etc/usbguard/rules.conf to know who is good and who is bad. If the hash of the USB does not match the rule, it gets blocked. This is very good for security on servers and laptops. Many peoples do not use this because they think it is too hard, but actually it is very simple if you know the correct commands. I will show you how to configure this on your system without making mistake.
Step 1: Generating the initial policy
First, we need to let our current USBs work, like our mouse and keyboard that we use right now. If we do not do this first, USBGuard will block our own keyboard and we cannot type anything to fix it. This is very funny but also very bad because you get locked out. To prevent this, we run a command to make a policy from what is already plugged in.
Run this command in your terminal:
sudo usbguard generate-policy -P > /tmp/rules.conf
The sudo part gives us administrator powers. The generate-policy option tells USBGuard to scan all USB devices currently connected to your computer. The -P flag is very important. It means generate policy with permanent attributes like the specific device hash and serial number. We write all these rules into a temporary file in /tmp/rules.conf. We do this because we need to move it and fix security labels later before the system can use it.
Step 2: Moving the rules and setting permissions
Now we must move this new rules file to the official USBGuard folder. We must also make sure only the root user can read this file. If other normal users can read or write it, they can add their own bad USB rules and hack your computer easily.
Run these commands one by one:
sudo mv /tmp/rules.conf /etc/usbguard/rules.conf
sudo chown root:root /etc/usbguard/rules.conf
sudo chmod 0600 /etc/usbguard/rules.conf
First, the mv command moves the file from /tmp to /etc/usbguard/. Next, the chown root:root command changes the owner of the file to the root user and root group. This stops normal users from messing with it. Finally, chmod 0600 makes it so only the root user can read and write this file. No other user on the system can even look inside it. This makes the file safe from local attacks.
Step 3: Fixing the SELinux label issue
This is where most people make big mistake and get very angry because the service do not start. When you move file from /tmp folder to /etc folder, the file keep its old SELinux label. SELinux is a security system in RedHat and Fedora. In the /tmp folder, the file has a label called user_tmp_t. But the USBGuard daemon runs under a different label called usbguard_t. SELinux is very strict about this. It sees that usbguard_t tries to read a file with user_tmp_t label, and it says “No way, access denied!”. Then your USBGuard service fails to start with a Permission denied error.
To fix this problem, we must reset the label of the rules file using the restorecon command:
sudo restorecon -v /etc/usbguard/rules.conf
This command is very simple but very important. It changes the label from user_tmp_t to usbguard_rules_t. Now SELinux knows the file is safe and will let USBGuard read it. If you do not do this step, you will see big error in your system logs and you will think USBGuard is broken. But it is just SELinux doing its job. Always remember to run restorecon when you move files into system folders.
Step 4: Starting the USBGuard daemon
Now we can finally start the USBGuard program and protect our computer. We use systemctl command to manage the service.
Run this command:
sudo systemctl enable --now usbguard
The enable --now option is very cool because it does two things at the same time. It starts the service right now, and it also configures it to start automatically every time you boot your computer.
After you run that, you should check if it started correctly:
sudo systemctl status usbguard --no-pager | head -5
This command shows the first five lines of the service status. If you see active running in the output, it means everything is working good. If it says failed, you probably forgot the SELinux step we did before, so go back and check your labels.
Step 5: How to authorize a new USB device
Now that USBGuard is running, if you plug a new USB flash drive or a new mouse, nothing will happen. The computer will ignore it because it is not in our policy rules file. This is exactly what we want to stop hackers! But how do we allow it if we know it is a safe device?
First, plug your new USB device into the computer. Then, we need to find its ID. Run this command to see all devices:
sudo usbguard list-devices
This command lists every USB device that the system can see. The new device you just plugged in will have a status like block. Look at the list and find your device. It will have a number ID like 3 or 4 at the start of the line.
Once you find the ID, you can tell USBGuard to allow it temporarily:
sudo usbguard allow-device <device-id>
Replace <device-id> with the number you found, for example, sudo usbguard allow-device 3. Now your USB device will start working immediately.
But wait, if you unplug it and plug it again, or if you reboot your computer, it will be blocked again because allow-device is only temporary. To make it work forever, we must add a permanent rule to our rules file:
sudo usbguard append-rule "allow id 1234:5678 serial \"...\" name \"YubiKey FIDO+CCID\" hash \"...\""
You can get the exact rule string from the usbguard list-devices command. Copy that line and use the append-rule command to save it. Now your device is permanently allowed.
Step 6: USBGuard on Desktop vs Server
If you are using a server, using the command line with append-rule is the best way because you can write scripts to automate everything. But if you are on a desktop computer, typing commands in terminal every time you plug a USB drive is very annoying.
For desktop users, you can install a special graphical tool:
usbguard-applet-qt
This package adds a small icon to your desktop system tray. When you plug a new USB device, a window will pop up and ask you: “Allow, Block, or Always allow?”. You can just click the button with your mouse. This is much easier for daily use on a laptop or workstation.
Conclusion
USBGuard is very strong tool to protect your Linux computer from BadUSB attacks. It is simple to use but you must be careful with SELinux labels when you first install it. Always make sure to generate your initial policy first so you do not block your own keyboard. Once you have it running, your USB ports are safe from unauthorized devices.