Adding missing options to manual pages

doc/man/usbguard-daemon.conf.5.adoc

@@ -16,50 +16,82 @@ It may be overridden using the *-c* command-line option, see *usbguard-daemon*(8
 
 == OPTIONS
 *RuleFile*='path'::
-    The USBGuard daemon will use this file to load the policy rule set from it and to write new rules received via the IPC interface.
+    The USBGuard daemon will use this file to load the policy rule set from it
+    and to write new rules received via the IPC interface.
+
+*RuleFolder*='path'::
+    The USBGuard daemon will use this folder to load the policy rule set from
+    it and to write new rules received via the IPC interface.
 
 *ImplicitPolicyTarget*='target'::
-    How to treat USB devices that don't match any rule in the policy.
-    Target should be one of `allow`, `block` or `reject` (logically remove the device node from the system).
+    How to treat USB devices that don't match any rule in the policy. Target
+    should be one of `allow`, `block` or `reject` (logically remove the device
+    node from the system).
 
 *PresentDevicePolicy*='policy'::
-   How to treat USB devices that are already connected when the daemon starts.
-   Policy should be one of `allow`, `block`, `reject`, `keep` (keep whatever state the device is currently in) or `apply-policy` (evaluate the rule set for every present device).
+    How to treat USB devices that are already connected when the daemon starts.
+    Policy should be one of `allow`, `block`, `reject`, `keep` (keep whatever
+    state the device is currently in) or `apply-policy` (evaluate the rule set
+    for every present device).
 
 *PresentControllerPolicy*='policy'::
-   How to treat USB *controller* devices that are already connected when the daemon starts.
-   One of `allow`, `block`, `reject`, `keep` or `apply-policy`.
+    How to treat USB *controller* devices that are already connected when the
+    daemon starts. One of `allow`, `block`, `reject`, `keep` or `apply-policy`.
 
 *InsertedDevicePolicy*='policy'::
-   How to treat USB devices that are already connected _after_ the daemon starts.
-   One of `block`, `reject`, `apply-policy`.
+    How to treat USB devices that are already connected _after_ the daemon
+    starts. One of `block`, `reject`, `apply-policy`.
+
+*AuthorizedDefault*='authorizedDefault'::
+    The USBGuard daemon modifies some of the default authorization state
+    attributes of controller devices. This setting, enables you to define what
+    value the default authorization is set to. Authorized default should be one
+    of `keep` (do not change autorization state), `wired` (new wired USB
+    devices start out authorized, wireless do not), `none` (every new device
+    starts out deauthorized), `all` (every new device starts out authorized) or
+    `internal` (internal devices start out authorized, external do not).
 
 *RestoreControllerDeviceState*='boolean'::
-   The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances.
-   Using this setting, you can control whether the daemon will try to restore the attribute values to the state before modification on shutdown.
+    The USBGuard daemon modifies some attributes of controller devices like the
+    default authorization state of new child device instances. Using this
+    setting, you can control whether the daemon will try to restore the
+    attribute values to the state before modification on shutdown.
 
 *DeviceManagerBackend*='backend'::
-   Which device manager backend implementation to use.
-   Backend should be one of `uevent` (default) or `umockdev`.
+    Which device manager backend implementation to use. Backend should be one
+    of `uevent` (default) or `umockdev` (useful for testing). UEvent backend is
+    a netlink based implementation which uses sysfs to scan for present devices
+    and an uevent socket for receiving USB device related events. UMockDev
+    based device manager is capable of simulating devices based on
+    umockdev-record files.
 
 *IPCAllowedUsers*='username' ['username' ...]::
-   A space delimited list of usernames that the daemon will accept IPC connections from.
+    A space delimited list of usernames that the daemon will accept IPC
+    connections from.
 
 *IPCAllowedGroups*='groupname' ['groupname' ...]::
-   A space delimited list of groupnames that the daemon will accept IPC connections from.
+    A space delimited list of groupnames that the daemon will accept IPC
+    connections from.
 
 *IPCAccessControlFiles*='path'::
-   The files at this location will be interpreted by the daemon as IPC access control definition files.
-   See the <<ipc-access-control,IPC ACCESS CONTROL>> section for more details.
+    The files at this location will be interpreted by the daemon as IPC access
+    control definition files. See the <<ipc-access-control,IPC ACCESS CONTROL>>
+    section for more details.
 
 *DeviceRulesWithPort*='boolean'::
-   Generate device specific rules including the "via-port" attribute.
+    Generate device specific rules including the "via-port" attribute.
 
 *AuditBackend*='backend'::
-   USBGuard audit events log backend. The 'backend' value should be one of `FileAudit` or `LinuxAudit`.
+    USBGuard audit events log backend. The 'backend' value should be one of
+    `FileAudit` or `LinuxAudit`.
 
 *AuditFilePath*='filepath'::
-   USBGuard audit events log file path. Required if AuditBackend is set to `FileAudit`.
+    USBGuard audit events log file path. Required if AuditBackend is set to
+    `FileAudit`.
+
+*HidePII*='boolean'::
+    Hides personally identifiable information such as device serial numbers and
+    hashes of descriptors (which include the serial number) from audit entries.
 
 
 == SECURITY CONSIDERATIONS

doc/man/usbguard.1.adoc

@@ -11,6 +11,10 @@ usbguard - USBGuard command-line interface
 
 usbguard [OPTIONS] <subcommand> [SUBCOMMAND-OPTIONS] ...
 
+usbguard get-parameter 'name'
+
+usbguard set-parameter 'name' 'value'
+
 usbguard list-devices
 
 usbguard allow-device 'id' | 'rule'
@@ -43,7 +47,30 @@ It also provides a tool for generating initial USBGuard policies based on USB de
 
 == SUBCOMMANDS
 
-=== *list-devices*
+=== *get-parameter* ['OPTIONS'] 'name'
+Get the value of a runtime parameter.
+Parameter 'name' is one of 'InsertedDevicePolicy' and 'ImplicitPolicyTarget'.
+
+Available options:
+
+*-h, --help*::
+    Show help.
+
+
+=== *set-parameter* ['OPTIONS'] 'name' 'value'
+Set the value of a runtime parameter.
+Parameter 'name' is one of 'InsertedDevicePolicy' and 'ImplicitPolicyTarget'.
+
+Available options:
+
+*-v, --verbose*::
+    Print the previous and new attribute value.
+
+*-h, --help*::
+    Show help.
+
+
+=== *list-devices* ['OPTIONS']
 List all USB devices recognized by the USBGuard daemon.
 
 Available options:
@@ -58,7 +85,7 @@ Available options:
     Show help.
 
 
-=== *allow-device* ['OPTIONS'] <'id' | 'rule'>
+=== *allow-device* ['OPTIONS'] < 'id' | 'rule' >
 Authorize a device identified by either the device 'id' or a specific 'rule' to interact with the system. A rule might apply to multiple devices. Note that the device 'id' refers to the very first number of the list-devices command output.
 
 Available options:
@@ -71,7 +98,7 @@ Available options:
     Show help.
 
 
-=== *block-device* ['OPTIONS'] <'id' | 'rule'>
+=== *block-device* ['OPTIONS'] < 'id' | 'rule' >
 Deauthorize a device identified by either the device 'id' or a specific 'rule'. A rule might apply to multiple devices. Note that the device 'id' refers to the very first number of the list-devices command output.
 
 Available options:
@@ -84,7 +111,7 @@ Available options:
     Show help.
 
 
-=== *reject-device* ['OPTIONS'] <'id' | 'rule'>
+=== *reject-device* ['OPTIONS'] < 'id' | 'rule' >
 Deauthorize and remove a device identified by either the device 'id' or a specific 'rule'. A rule might apply to multiple devices. Note that the device 'id' refers to the very first number of the list-devices command output.
 
 Available options:
@@ -105,6 +132,9 @@ Available options:
 *-d, --show-devices*::
     Show all devices which are affected by the specific rule.
 
+*-l, --label* 'label'::
+    Only show rules having a specific label.
+
 *-h, --help*::
     Show help.
 
@@ -117,6 +147,9 @@ Available options:
 *-a, --after* 'id'::
     Append the new rule after a rule with the specified rule 'id'.
 
+*-t, --temporary*::
+    Make the decision temporary. The rule policy file will not be updated.
+
 *-h, --help*::
     Show help.
 
@@ -145,6 +178,9 @@ Available options:
     This is a security measure to limit devices that cannot be uniquely identified to connect only via a specific port.
     This makes it harder to bypass the policy since the real device will occupy the allowed USB port most of the time.
 
+*-d, --devpath* 'devpath'::
+    Only generate a rule for the device at the specified sub path of /sys.
+
 *-t, --target* 'target'::
     Generate an explicit "catch all" rule with the specified target.
     The target can be one of the following values: *allow*, *block*, *reject*
@@ -155,6 +191,19 @@ Available options:
 *-H, --hash-only*::
     Generate a hash-only policy.
 
+*-L, --ldif*::
+    Generate a ldif policy for LDAP.
+
+*-b, --usbguardbase* 'base'::
+    Generate a ldif policy for LDAP with this base.
+    This option is required when --ldif was specified.
+
+*-o, --objectclass* 'objectclass'::
+    Generate a ldif policy for LDAP with this objectClass.
+
+*-n, --name-prefix* 'prefix'::
+    Generate a ldif policy for LDAP with this name prefix.
+
 *-h, --help*::
     Show help.
 
@@ -212,6 +261,9 @@ Available options:
 *-P, --parameters* 'privileges'::
     Run-time parameter related privileges.
 
+*-N, --no-root-check*::
+    Disable root privileges checking.
+
 *-h, --help*::
     Show help.
 
@@ -238,6 +290,9 @@ Available options:
 *-g, --group*::
     The specified 'name' represents a groupname or GID.
 
+*-N, --no-root-check*::
+    Disable root privileges checking.
+
 *-h, --help*::
     Show help.
 

src/CLI/usbguard-generate-policy.cpp

@@ -59,7 +59,7 @@ namespace usbguard
     stream << "  -p, --with-ports       Generate port specific rules for all devices." << std::endl;
     stream << "  -P, --no-ports-sn      Don't generate port specific rule for devices" << std::endl;
     stream << "                         without an iSerial value." << std::endl;
-    stream << "  -d, --devpath          Only generate a rule for the device at the specified" << std::endl;
+    stream << "  -d, --devpath <D>      Only generate a rule for the device at the specified" << std::endl;
     stream << "                         sub path of /sys." << std::endl;
     stream << "  -t, --target <T>       Generate an explicit \"catch all\" rule with the" << std::endl;
     stream << "                         specified target. Possible targets: allow, block, reject." << std::endl;

usbguard-daemon.conf.in

@@ -202,3 +202,8 @@ AuditBackend=FileAudit
 #
 AuditFilePath=%localstatedir%/log/usbguard/usbguard-audit.log
 
+#
+# Hides personally identifiable information such as device serial numbers and
+# hashes of descriptors (which include the serial number) from audit entries.
+#
+HidePII=false