Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-65035

[RFE] Allow only one keyboard/mouse using USBGuard

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Low
    • rhel-security-special-projects
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Trying to allow only one keyboard/mice on the system using USBGuard.

      What is the impact of this issue to you?

      Machine lets/allows multiple keyboards/mice on the machine. This is not acceptable as per customer's requirements when using USBGuard.

      Please provide the package NVR for which the bug is seen:

      RHEL 9.3 with USBGuard installed and enabled.

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Configuring USBGuard to allow only one keyboard/mice isn't possible.

      Checked the following documentation for setting up the above requirement -

       https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard#sec-Using-Rule-Language

      https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/protecting-systems-against-intrusive-usb-devices_security-hardening#creating-a-custom-policy-for-usb-devices_protecting-systems-against-intrusive-usb-devices

       

      Desktop SME suggested the below -

      Unfortunately, there does not appear to be any functionality or logic in USBGuard to target any given quantity of a specific device type.  You can only target devices by individual characteristics. This appears to be consistent across any distribution when reviewing documentation.

      https://manpages.ubuntu.com/manpages/focal/en/man5/usbguard-rules.conf.5.html

      https://rpm.pbone.net/manpage_idpl_31649171_numer_5_nazwa_usbguard-rules.conf.html

       

      Customer states the following -

      So in that ubuntu page you linked there is an example that seems to be what I want.

      4. Allow a keyboard-only USB device only if there isn’t already a USB device with a
                 keyboard interface allowed

                         allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })

      I have tried this but I was not able to get it to work since it flips allowed/blocked statuses on usbguard restart which seems to match this issue below.
      https://github.com/USBGuard/usbguard/issues/456

      Is that consistent with what you guys have seen with your testing? Is there no other way to get it to work?

      Expected results

      Allow only one keyboard/mice using USBGuard.

      Actual results

      Upon a system restart, the USBGuard settings gets revoked and system allows multiple keyboards again. Whatever configuration changes we perform aren't persistent.

              rh-ee-alakatos Attila Lakatos
              rhn-support-mijjapur Murali Prudhvi Dhar Rao Ijjapureddi
              Attila Lakatos Attila Lakatos
              Natália Bubáková Natália Bubáková
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: