usbguard - USBGuard command-line interface
usbguard [OPTIONS] <subcommand> [SUBCOMMAND-OPTIONS] …
usbguard get-parameter name
usbguard set-parameter name value
usbguard list-devices
usbguard allow-device id | partial-rule
usbguard block-device id | partial-rule
usbguard reject-device id | partial-rule
usbguard list-rules
usbguard append-rule rule
usbguard remove-rule id
usbguard generate-policy
usbguard watch
usbguard read-descriptor file
usbguard add-user name
usbguard remove-user name
The usbguard command provides a command-line interface (CLI) to a running usbguard-daemon(8) instance. It also provides a tool for generating initial USBGuard policies based on USB devices connected to the system.
Get the value of a runtime parameter. Parameter name is one of InsertedDevicePolicy and ImplicitPolicyTarget.
Available options:
- -h, --help
-
Show help.
Set the value of a runtime parameter. Parameter name is one of InsertedDevicePolicy and ImplicitPolicyTarget.
Available options:
- -v, --verbose
-
Print the previous and new attribute value.
- -h, --help
-
Show help.
List all USB devices recognized by the USBGuard daemon.
Available options:
- -a, --allowed
-
List allowed devices.
- -b, --blocked
-
List blocked devices.
- -h, --help
-
Show help.
Authorize a device to interact with the system. Device can be identified by either a device id or a partial-rule. Partial rule can be used to allow multiple devices at once. Note that the device id refers to the very first number of the list-devices command output.
Available options:
- -p, --permanent
-
Make the decision permanent. A device specific allow rule will be appended to the current policy.
- -h, --help
-
Show help.
Deauthorize a device. Device can be identified by either a device id or a partial-rule. Partial rule can be used to block multiple devices at once. Note that the device id refers to the very first number of the list-devices command output.
Available options:
- -p, --permanent
-
Make the decision permanent. A device specific block rule will be appended to the current policy.
- -h, --help
-
Show help.
Deauthorize and remove a device. Device can be identified by either a device id or a partial-rule. Partial rule can be used to reject multiple devices at once. Note that the device id refers to the very first number of the list-devices command output.
Available options:
- -p, --permanent
-
Make the decision permanent. A device specific reject rule will be appended to the current policy.
- -h, --help
-
Show help.
List the rule set (policy) used by the USBGuard daemon.
Available options:
- -d, --show-devices
-
Show all devices which are affected by the specific rule.
- -l, --label label
-
Only show rules having a specific label.
- -h, --help
-
Show help.
Append the rule to the current rule set.
Available options:
- -a, --after id
-
Append the new rule after a rule with the specified rule id.
- -t, --temporary
-
Make the decision temporary. The rule policy file will not be updated.
- -h, --help
-
Show help.
Remove a rule identified by the rule id from the rule set.
Available options:
- -h, --help
-
Show help.
Generate a rule set (policy) which authorizes the currently connected USB devices.
Available options:
- -p, --with-ports
-
Generate port specific rules for all devices. By default, port specific rules are generated only for devices which do not export an iSerial value.
- -P, --no-ports-sn
-
Don’t generate port specific rules for devices without an iSerial value. Without this option, the tool will add a via-port attribute to any device that doesn’t provide a serial number. This is a security measure to limit devices that cannot be uniquely identified to connect only via a specific port. This makes it harder to bypass the policy since the real device will occupy the allowed USB port most of the time.
- -d, --devpath devpath
-
Only generate a rule for the device at the specified sub path of /sys.
- -t, --target target
-
Generate an explicit "catch all" rule with the specified target. The target can be one of the following values: allow, block, reject
- -X, --no-hashes
-
Don’t generate a hash attribute for each device.
- -H, --hash-only
-
Generate a hash-only policy.
- -L, --ldif
-
Generate a ldif policy for LDAP.
- -b, --usbguardbase base
-
Generate a ldif policy for LDAP with this base. This option is required when --ldif was specified.
- -o, --objectclass objectclass
-
Generate a ldif policy for LDAP with this objectClass.
- -n, --name-prefix prefix
-
Generate a ldif policy for LDAP with this name prefix.
- -h, --help
-
Show help.
Watch the IPC interface events and print them to stdout.
Available options:
- -w, --wait
-
Wait for IPC connection to become available.
- -o, --once
-
Wait only when starting, if needed. Exit when the connection is lost.
- -e, --exec path
-
Run an executable file located at path for every event. Pass event data to the process via environment variables.
- -h, --help
-
Show help.
Read a USB descriptor from a file and print it in human-readable form.
Available options:
- -h, --help
-
Show help.
Create an IPC access control file allowing the user/group identified by name to use the USBGuard IPC bus. The change takes effect only after restarting the usbguard-daemon(8) instance.
Available options:
- -u, --user
-
The specified name represents a username or UID (default).
- -g, --group
-
The specified name represents a groupname or GID.
- -p, --policy privileges
-
Policy related privileges.
- -d, --devices privileges
-
Device related privileges.
- -e, --exceptions privileges
-
Exceptions related privileges.
- -P, --parameters privileges
-
Run-time parameter related privileges.
- -h, --help
-
Show help.
Privileges:
The privileges are expected to be in the form of a list separated by a colon:
$ sudo usbguard add-user joe --devices=listen,modify
Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section.
Remove an IPC access control file associated with the user/group identified by name. The change takes effect only after restarting the usbguard-daemon(8) instance.
Available options:
- -u, --user
-
The specified name represents a username or UID (default).
- -g, --group
-
The specified name represents a groupname or GID.
- -h, --help
-
Show help.