diff options
| -rw-r--r-- | system/usbguard/README | 40 | ||||
| -rw-r--r-- | system/usbguard/config/rc.usbguard | 63 | ||||
| -rw-r--r-- | system/usbguard/config/usbguard.logrotate | 10 | ||||
| -rw-r--r-- | system/usbguard/doinst.sh | 25 | ||||
| -rw-r--r-- | system/usbguard/slack-desc | 19 | ||||
| -rw-r--r-- | system/usbguard/usbguard.SlackBuild | 108 | ||||
| -rw-r--r-- | system/usbguard/usbguard.info | 10 |
7 files changed, 275 insertions, 0 deletions
diff --git a/system/usbguard/README b/system/usbguard/README new file mode 100644 index 0000000000..543066146e --- /dev/null +++ b/system/usbguard/README @@ -0,0 +1,40 @@ +The USBGuard software framework helps to protect your +computer against unauthorized use of USB ports on +a machine. To enforce the user-defined policy, it uses +the USB device authorization feature implemented in the +Linux kernel since 2007. + +USBGuard supports granular policy options as well as +blacklisting and whitelisting capabilities for specifying +how USB devices will interact with a particular host system. + +A device that is blocked will be listed by the operating +system as being connected, but no communication is allowed +for it. A device that is rejected will be completely ignored +after it is inserted into the port. + +Optional dependencies: + - audit + - libseccomp + +To have the USBGuard daemon start and stop with your host, +add to /etc/rc.d/rc.local: + + if [ -x /etc/rc.d/rc.usbguard ]; then + /etc/rc.d/rc.usbguard start + fi + +and to /etc/rc.d/rc.local_shutdown (creating it if needed): + + if [ -x /etc/rc.d/rc.usbguard]; then + /etc/rc.d/rc.usbguard stop + fi + +Warning: You must configure the daemon before you start it +or all USB devices will immediately be blocked! + +In order to view the current policy execute the following +command: sudo usbguard generate-policy + +If you are satisfied with the output then copy it to the rules file. +sudo usbguard generate-policy >> /etc/usbguard/rules.conf diff --git a/system/usbguard/config/rc.usbguard b/system/usbguard/config/rc.usbguard new file mode 100644 index 0000000000..71f7975d24 --- /dev/null +++ b/system/usbguard/config/rc.usbguard @@ -0,0 +1,63 @@ +#!/bin/sh +# +# Start/Stop/Restart the USBGuard daemon. +# + +PIDFILE=/var/run/usbguard.pid +USBGUARD_OPTS="-f -s" + +# Start +usbguard_start() { + if [ -x /usr/sbin/usbguard-daemon ]; then + if [ -e "$PIDFILE" ]; then + echo "USBGuard daemon already started!" + else + echo "Starting USBGuard daemon..." + /usr/sbin/usbguard-daemon $USBGUARD_OPTS + fi + fi +} + +# Stop +usbguard_stop() { + echo "Stopping USBGuard daemon..." + if [ -e "$PIDFILE" ]; then + kill $(cat $PIDFILE) + rm -f $PIDFILE 2>&1 >/dev/null + fi + # Just in case: + killall usbguard-daemon 2>&1 >/dev/null +} + +# Restart +usbguard_restart() { + usbguard_stop + sleep 3 + usbguard_start +} + +# Status +usbguard_status() { + if [ -e "$PIDFILE" ]; then + echo "usbguard-daemon is running." + else + echo "usbguard-daemon is stopped." + fi +} + +case "$1" in +'start') + usbguard_start + ;; +'stop') + usbguard_stop + ;; +'restart') + usbguard_restart + ;; +'status') + usbguard_status + ;; +*) + echo "usage: $0 start|stop|restart|status" +esac diff --git a/system/usbguard/config/usbguard.logrotate b/system/usbguard/config/usbguard.logrotate new file mode 100644 index 0000000000..1ed4e106fe --- /dev/null +++ b/system/usbguard/config/usbguard.logrotate @@ -0,0 +1,10 @@ +/var/log/usbguard/usbguard-audit.log { + daily + rotate 7 + copytruncate + delaycompress + compress + notifempty + missingok +} + diff --git a/system/usbguard/doinst.sh b/system/usbguard/doinst.sh new file mode 100644 index 0000000000..1d67f5cd4a --- /dev/null +++ b/system/usbguard/doinst.sh @@ -0,0 +1,25 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.usbguard.new +config etc/logrotate.d/usbguard.new diff --git a/system/usbguard/slack-desc b/system/usbguard/slack-desc new file mode 100644 index 0000000000..5a155841ea --- /dev/null +++ b/system/usbguard/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +usbguard: usbguard (Software protection against rogue USB devices) +usbguard: +usbguard: The USBGuard software framework helps to protect your +usbguard: computer against rogue USB devices (a.k.a. BadUSB) by +usbguard: implementing basic whitelisting and blacklisting +usbguard: capabilities based on device attributes. +usbguard: +usbguard: +usbguard: https://usbguard.github.io/ +usbguard: +usbguard: diff --git a/system/usbguard/usbguard.SlackBuild b/system/usbguard/usbguard.SlackBuild new file mode 100644 index 0000000000..31ce481e6f --- /dev/null +++ b/system/usbguard/usbguard.SlackBuild @@ -0,0 +1,108 @@ +#!/bin/sh + +# Slackware build script for usbguard + +# Copyright 2019 Michael Edie Orlando, FL USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=usbguard +VERSION=${VERSION:-0.7.4} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --build=$ARCH-slackware-linux \ + --with-crypto-library=sodium \ + --with-bundled-catch \ + --with-bundled-pegtl + +make +make install DESTDIR=$PKG + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +DOCS="VERSION LICENSE CHANGELOG.md README.adoc" + +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done + +install -D -m 0644 $CWD/config/usbguard.logrotate $PKG/etc/logrotate.d/usbguard.new +install -D -m 0644 $CWD/config/rc.usbguard $PKG/etc/rc.d/rc.usbguard.new + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a $DOCS $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/usbguard/usbguard.info b/system/usbguard/usbguard.info new file mode 100644 index 0000000000..0a91374766 --- /dev/null +++ b/system/usbguard/usbguard.info @@ -0,0 +1,10 @@ +PRGNAM="usbguard" +VERSION="0.7.4" +HOMEPAGE="https://usbguard.github.io/" +DOWNLOAD="https://github.com/USBGuard/usbguard/releases/download/usbguard-0.7.4/usbguard-0.7.4.tar.gz" +MD5SUM="1cebf50ed9fdbd83f989fcb2e1ae4493" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="protobuf libqb libsodium" +MAINTAINER="Michael Edie" +EMAIL="michael@sawbox.net" |