usbguard规则允许任何键盘和鼠标

usbguard规则允许任何键盘和鼠标

这是一个/etc/usbguard/rules.conf文件,是通过生成的usbguard generate-policy > /etc/usbguard/rules.conf

这是在戴尔 optiplex 电脑上,仅连接了有线键盘和有线鼠标,RHEL-8.9usbguard-1.0.0-13.el8.x86_64

allow id 1d6b:0002 serial "0000:00:1d.0" name "EHCI Host Controller" hash "WHBTxNaEoMGNSNc31KpFNSAeFF4HbLMQgSBqORlC6S8=" parent-hash "jW2YTPWRLeQOE7Q8I2f0pdN13zFYXVQGQoNmr1gDZgg=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0002 serial "0000:00:1a.0" name "EHCI Host Controller" hash "ej1WVedyLyUMLiQxzEcrwbY45zCodwV85Kzy7hm2Gv4=" parent-hash "e/RW0mMbM+TSFQxpRiMEfL7/3RJfKVdqffBm9F5qA+E=" with-interface 09:00:00 with-connect-type ""
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
allow id 8087:0024 serial "" name "" hash "Zx7v0FMQEjScKSAFENAiobEs1OGPPB0YWR+yXDCVE04=" parent-hash "WHBTxNaEoMGNSNc31KpFNSAeFF4HbLMQgSBqORlC6S8=" via-port "1-1" with-interface 09:00:00 with-connect-type "hardwired"

allow id 0461:4d51 serial "" name "DELL Laser Mouse" hash "w2bwgTsGy6TVhOOr7smHrvF8PtmYVKQwxbqgA5betmI=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "2-3" with-interface 03:01:02 with-connect-type "hotplug"
allow id 413c:2003 serial "" name "Dell USB Keyboard" hash "3eEGsGE566EIofQwRf06EINoPRynZIa/09c3uyy4TTY=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "2-4" with-interface 03:01:01 with-connect-type "hotplug"

allow id 8087:0024 serial "" name "" hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" parent-hash "ej1WVedyLyUMLiQxzEcrwbY45zCodwV85Kzy7hm2Gv4=" via-port "3-1" with-interface 09:00:00 with-connect-type "hardwired"

allow id 0461:4d22 serial "" name "USB Optical Mouse" hash "OZ6XJQmjdeDg7Dp2MelZt+ewNTtdNTt92FtGPI0VPAc=" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" via-port "3-1.4" with-interface 03:01:02 with-connect-type "hotplug"

如果规则文件中没有最后一行,第二个鼠标在插入时将无法工作,所以我知道这个规则文件是特定于键盘和鼠标的。

我的问题是 - 我被告知这是可能的 - 如何编写规则语法以允许任何键盘和任何鼠标连接到系统的[到任何 USB 端口]?

额外问题:如果将有线 USB kybd 和鼠标插入具有 USB 端口的显示器,那么您有一根 USB 电缆从该显示器连接到计算机 USB 端口,是否可以将其列入白名单以允许任何显示器?

答案1

生成的规则并非特定于键盘和鼠标,而是特定于生成规则时连接到系统的设备。

要允许任何键盘和鼠标,请使用匹配这些的规则:

allow with-interface one-of { 03:00:01 03:01:01 03:00:02 03:01:02 }

在每个冒号分隔的三元组中,第一个值是接口类,第二个值是接口子类,第三个值是接口协议。第 3 类是“人机接口设备”。指定子类 0 和 1 允许引导设备和非引导设备匹配。协议 1 是键盘,协议 2 是鼠标。

该文档显示了一个更奇特的变体,它只允许第一个键盘:

allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })

这可以通过将协议更改为 2 来适应小鼠。

就监视器而言,大多数情况下相关功能是它们的集线器;这是接口类 9:

allow with-interface equals { 09:*:* }

相关内容