 I'm Dali Bor. I went for redhead as a QE in the team where the USB guard is developed. I went to introduce the software, the main concept, and I would like to lead you through the process of configuring the USB guard, so you are encouraged to open your laptops and try as we go after a few slides. So what the USB guard is, basically this is what the home page says. So it's a framework which helps you to protect your computer against bad USBs, and it's implemented via blacklisting and widelisting. I will go through these points. First of all, I want to mention some attack access vectors in general. Then I will talk a bit about the concept, the design, then the service configuration, command line interface, the rule-based database, and a bit of graphical use interface. So the attack access vectors, what it is. Actually the access can be divided into two main aspects. One is remote, and one is physical, like the local. Then we have a system, and we need to protect the system somehow. So obviously for the remote access we use firewall. This is the first line defense of the system. Then we use this great discussion and access control on the disk layer, which is obvious for I guess most of you, which defines access to files, so different users cannot access files, which are not owned by them or are not allowed to access them. Then we have also a selling of slayer, which has to protect processes, or can prevent processes from communication, within the processes, or each other process. And these are still online things. Then we have also this USB guard, which tries to protect you from these external inputs, which are not wanted. And finally we have also looks for encryption, the data on the disk. Because all these features are working in online state, or are protecting you in online, the looks encryption is for offline protecting basically. If you have physical access to the system, then you need to either use, or you would like to use USB guard for managing the inputs, but in the case the attacker has that physical access, he can also steal your hardware, like your laptop, or just the hard drive. Then if you connect it to another machine, you can access the data. So the encryption is really critical part of the complex security. So the USB guard is not something which can fulfill the security for you. And the last one is the human factor. This is something we need to come with, and it's hard to protect this hand against people basically. So now the basic design. As you can see, we have a Linux kernel, we have some USB device, and then we have system service, the USB guard demon, which is listening to the events from kernel, and uses the database, where are the rules stored, and applying these rules to particular devices that are connected to the USB ports. It either blocks or enables the device. There is also a command line interface and graphical user interface for managing and also online monitoring the situation. On federal system you need to install USB guard and also USB guard applet QTE for desktop environment, which enables you to have applet in the system tray, which informs you about, notifies you about events happening in the USB guard. On the Debian or Ubuntu-based distros, the packages are named the same, where you just need to install it with apt command. So if you want to try it, please do so, and I will show you how to configure the whole thing. The first thing for configuration is the service. It's a configuring of the USB guard demon. It's located in the USB guard demon.com. There is a default configuration. The most interesting parts here are in a bold font. This is the implicit target policy, which is blocked, which means every new unrecognized device is blocked automatically. What to do with devices already connected to the system in the time of stopping the demon. So it applies the policy in this case. It means it will disable these devices, which are not allowed. Also there is a line for control error for the inserting devices. This is the state, or the configuration for devices, which are inserted while the demon is running. And there is an IPC allowed groups statement, which defines who can manage USB guard demon over IPC. There are paths to some files. So IPC access control can be specified as a drop-in state in this directory. Let's see. Basically the configuration does not need to be changed by default, or the default configuration is enough for a standard operation. And now what about the command line interface? There is command USB guard, which takes some sub-commands. Each sub-command, obviously the command itself has good help. There are manual pages, which you can go through. There is one thing I forgot to mention. In this config file, every option is described in the command. So you don't need to switch to man pages. So this command line tool allows you to configure the service, to add rules and so on. And also the most important command is generate policy. First of all, if you want to start using USB guard demon, if you start it right away, it will block all the USB devices, which is not what you usually want. So you need to initiate somehow the policy, to generate the rules. So this command will help you, and basically what it does is it takes all the devices connected at that time, and create allow rules for them. The rules, they always start with allow or deny, and give out, and there are attributes of the devices, which are standard USB IDs, serial number, name. And stuff is provided by the device itself. You can omit the format with the hash. As you can see here, there is hash of all the attributes of these devices. And for normal usage on desktop, it's not that readable, so you can generate it without those hash. Or just with hash. Using the hash is good for distribution via network, for example, because no one can modify the rules you predefined, like the company-wide, for example. It's hard to change them. How to actually create the initial rule set is to use the generate command, put that output to file, and set proper permissions to file, so it must be on by root and only root. And you need to restart the service. And USB Guard, watch command. This is something which allows you to monitor what's happening. So let me show you the actual process. So currently I have no USB Guard running on the system, and I can generate the policy for... Ah, okay, thank you. I can generate the policy for currently connected devices. I can put it to USB Guard directory rules.conf. I have it here. I need to copy from here. So let me change the... Okay, this should be enough. So in the file there are those rules, which I generated, and now I can start the demon. So system CTL. I have no running USB Guard, so I just need to start it. And from this time, I'm not able to connect any new device. I can use that... USB Guard monitor... Eh, yeah, not monitor watch. Command, and now I can see if I use my flash disk and connect it, I can see that the device is locked, apparently. It has some ID, serial number, it has some name, data catalog, and there is also the hash of these parameters. And I can see also the parent hash, which means basically the controller, in this case, to which the device is connected. I can see the exact port number, which is connected to, and there is interface, which is defined by the device. In this case, it means that this is flash drive. Yeah, this interface ID means flash drive. You can search it on the internet for these numbers. And there is also the old state, the new state, and the final resolution of the insertion of the device. So this was watch. Now, when I want to list, just list the devices, I need to, or I can use the list devices command, and devices. If I list them, each device is prefixed with some index number. So when I want to add this device to the database, I can just use that number. In my case, the data traveler is index 15, so I can use command allow device. In this case, ID15. And that's it. From now, as you can see, the device started to work, and it automatically was mounted, and so on. The same I can do with the block device or reject device. The difference between block and reject is that if you block the device, it's set in kernel that is disabled, or, yeah, basically it's disabled, but you can enable it again. If you reject it, the kernel drops completely the reference to the device, and you need to reinsert it to allow it again. There is command list rules, which will list basically the file rules cone. You can use append remove for the rule. If you use, for example, remove, those rules are, again, indexed, and you can remove some particular index. If you want to append, you can put here whole rule. As the watch command shows the line allow something or block something, you can take whole output and put it as a rule and it will add it to the database. Not big magic. The rules themselves I mentioned that already are specified as one line which starts with allow or deny keyword, and then there are those attributes for the device and also you can use these it depends on your preference. The attribute forms can be different. You can have single-valued or multivalued rules together. For example, all the flash drives or specific brand flash drives for example. You can also use those stars here. There are examples in the man page of USB card rules con. So you can take a look and go through that or search on the internet. There can be conditional rules. For example, you want to enable USB devices only during working hours. So you can put here some statement that basically these two lines if you use them as a rule for the rule database these will define that. Every USB device is allowed during these hours starting 9am ending 6pm and everything else will be blocked so outside this time frame it will be blocked. There might be other conditions like if the device provides more interfaces you can construct conditions based on these. And finally graphical use interface it's as I said already it's a cutie applet provides you the notifications and you can also do some simple manipulation with the policy. It's not designed for some tweaking of the policies. Basically, if you want to disable the device on the workstation when you insert it it will help you. So if I start USB guard applet cutie I will get this little icon here. If I click on that I will see the current rules. You can see that there are devices which are allowed all of them are allowed I can change the state of the particular device I can apply the change real time or I can check this check box for permanently to make permanent change to the database to the config file. There are some other options in settings regarding the template. If you insert the device there is some time out for example you can change these numbers I will show you if I disconnect the USB flash disk and insert it again so it will show me the notification and also there is a dialogue device and whether I want to make this change permanent or not so I can allow it for example right now it will mount the flash disk but if I disconnect it and connect it again I will be again asked if I make it permanent it will obviously not ask me next time the notifications are there each time but the device is already enabled and so this is a bigger screenshot of these dialogues and the notifications and that's basically it no rocket science it's a very simple concept it basically can work for a long time it's implemented in kernel enabling disabling it's implemented in kernel since 2007 but actually no one was interested in that for a long time and the first usb guard was done on I guess March 2015 so it's quite short time but at the same time it's a long time enough to be widespread but it's not happening that often this usb guard is by default not installed in the Linux distributions I don't know whether there is any which installs it by default but fedora nor it doesn't do that by default so time for questions how do you use that? how do you use that? no actually I didn't I just tried if you give it a ppc access and you install the device you cannot get to the list of rooms because there is no place to I don't have an answer for this you can see I'm not using GNOME 3 I use Mate which is fork of GNOME 2 there is this system tray for these icons but the applet is working notifications should be there just a notification I don't have an answer for this my colleague notes that GNOME notification system not in the applet itself if you can mimic the device completely there is no way to distinguish but general answer to this concern is to make the rules as much as much attributes to use in the rule as possible so if you have a device like the GNOME device you cannot distinguish in this so we run out of time so thank you for the attention