aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/usbguard/README40
-rw-r--r--system/usbguard/config/rc.usbguard63
-rw-r--r--system/usbguard/config/usbguard.logrotate10
-rw-r--r--system/usbguard/doinst.sh25
-rw-r--r--system/usbguard/slack-desc19
-rw-r--r--system/usbguard/usbguard.SlackBuild108
-rw-r--r--system/usbguard/usbguard.info10
7 files changed, 275 insertions, 0 deletions
diff --git a/system/usbguard/README b/system/usbguard/README
new file mode 100644
index 0000000000000..543066146ecb8
--- /dev/null
+++ b/system/usbguard/README
@@ -0,0 +1,40 @@
+The USBGuard software framework helps to protect your
+computer against unauthorized use of USB ports on
+a machine. To enforce the user-defined policy, it uses
+the USB device authorization feature implemented in the
+Linux kernel since 2007.
+
+USBGuard supports granular policy options as well as
+blacklisting and whitelisting capabilities for specifying
+how USB devices will interact with a particular host system.
+
+A device that is blocked will be listed by the operating
+system as being connected, but no communication is allowed
+for it. A device that is rejected will be completely ignored
+after it is inserted into the port.
+
+Optional dependencies:
+ - audit
+ - libseccomp
+
+To have the USBGuard daemon start and stop with your host,
+add to /etc/rc.d/rc.local:
+
+ if [ -x /etc/rc.d/rc.usbguard ]; then
+ /etc/rc.d/rc.usbguard start
+ fi
+
+and to /etc/rc.d/rc.local_shutdown (creating it if needed):
+
+ if [ -x /etc/rc.d/rc.usbguard]; then
+ /etc/rc.d/rc.usbguard stop
+ fi
+
+Warning: You must configure the daemon before you start it
+or all USB devices will immediately be blocked!
+
+In order to view the current policy execute the following
+command: sudo usbguard generate-policy
+
+If you are satisfied with the output then copy it to the rules file.
+sudo usbguard generate-policy >> /etc/usbguard/rules.conf
diff --git a/system/usbguard/config/rc.usbguard b/system/usbguard/config/rc.usbguard
new file mode 100644
index 0000000000000..71f7975d24a69
--- /dev/null
+++ b/system/usbguard/config/rc.usbguard
@@ -0,0 +1,63 @@
+#!/bin/sh
+#
+# Start/Stop/Restart the USBGuard daemon.
+#
+
+PIDFILE=/var/run/usbguard.pid
+USBGUARD_OPTS="-f -s"
+
+# Start
+usbguard_start() {
+ if [ -x /usr/sbin/usbguard-daemon ]; then
+ if [ -e "$PIDFILE" ]; then
+ echo "USBGuard daemon already started!"
+ else
+ echo "Starting USBGuard daemon..."
+ /usr/sbin/usbguard-daemon $USBGUARD_OPTS
+ fi
+ fi
+}
+
+# Stop
+usbguard_stop() {
+ echo "Stopping USBGuard daemon..."
+ if [ -e "$PIDFILE" ]; then
+ kill $(cat $PIDFILE)
+ rm -f $PIDFILE 2>&1 >/dev/null
+ fi
+ # Just in case:
+ killall usbguard-daemon 2>&1 >/dev/null
+}
+
+# Restart
+usbguard_restart() {
+ usbguard_stop
+ sleep 3
+ usbguard_start
+}
+
+# Status
+usbguard_status() {
+ if [ -e "$PIDFILE" ]; then
+ echo "usbguard-daemon is running."
+ else
+ echo "usbguard-daemon is stopped."
+ fi
+}
+
+case "$1" in
+'start')
+ usbguard_start
+ ;;
+'stop')
+ usbguard_stop
+ ;;
+'restart')
+ usbguard_restart
+ ;;
+'status')
+ usbguard_status
+ ;;
+*)
+ echo "usage: $0 start|stop|restart|status"
+esac
diff --git a/system/usbguard/config/usbguard.logrotate b/system/usbguard/config/usbguard.logrotate
new file mode 100644
index 0000000000000..1ed4e106fe9ce
--- /dev/null
+++ b/system/usbguard/config/usbguard.logrotate
@@ -0,0 +1,10 @@
+/var/log/usbguard/usbguard-audit.log {
+ daily
+ rotate 7
+ copytruncate
+ delaycompress
+ compress
+ notifempty
+ missingok
+}
+
diff --git a/system/usbguard/doinst.sh b/system/usbguard/doinst.sh
new file mode 100644
index 0000000000000..1d67f5cd4afaf
--- /dev/null
+++ b/system/usbguard/doinst.sh
@@ -0,0 +1,25 @@
+config() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ if [ -e $OLD ]; then
+ cp -a $OLD ${NEW}.incoming
+ cat $NEW > ${NEW}.incoming
+ mv ${NEW}.incoming $NEW
+ fi
+ config $NEW
+}
+
+preserve_perms etc/rc.d/rc.usbguard.new
+config etc/logrotate.d/usbguard.new
diff --git a/system/usbguard/slack-desc b/system/usbguard/slack-desc
new file mode 100644
index 0000000000000..5a155841ea300
--- /dev/null
+++ b/system/usbguard/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.
+# Line up the first '|' above the ':' following the base package name, and
+# the '|' on the right side marks the last column you can put a character in.
+# You must make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':' except on otherwise blank lines.
+
+ |-----handy-ruler------------------------------------------------------|
+usbguard: usbguard (Software protection against rogue USB devices)
+usbguard:
+usbguard: The USBGuard software framework helps to protect your
+usbguard: computer against rogue USB devices (a.k.a. BadUSB) by
+usbguard: implementing basic whitelisting and blacklisting
+usbguard: capabilities based on device attributes.
+usbguard:
+usbguard:
+usbguard: https://usbguard.github.io/
+usbguard:
+usbguard:
diff --git a/system/usbguard/usbguard.SlackBuild b/system/usbguard/usbguard.SlackBuild
new file mode 100644
index 0000000000000..31ce481e6f272
--- /dev/null
+++ b/system/usbguard/usbguard.SlackBuild
@@ -0,0 +1,108 @@
+#!/bin/sh
+
+# Slackware build script for usbguard
+
+# Copyright 2019 Michael Edie Orlando, FL USA
+# All rights reserved.
+#
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+PRGNAM=usbguard
+VERSION=${VERSION:-0.7.4}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) ARCH=i586 ;;
+ arm*) ARCH=arm ;;
+ *) ARCH=$( uname -m ) ;;
+ esac
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i586" ]; then
+ SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "i686" ]; then
+ SLKCFLAGS="-O2 -march=i686 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+else
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+fi
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+chown -R root:root .
+find -L . \
+ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
+ -o -perm 511 \) -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
+ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+
+CFLAGS="$SLKCFLAGS" \
+CXXFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --sysconfdir=/etc \
+ --localstatedir=/var \
+ --mandir=/usr/man \
+ --build=$ARCH-slackware-linux \
+ --with-crypto-library=sodium \
+ --with-bundled-catch \
+ --with-bundled-pegtl
+
+make
+make install DESTDIR=$PKG
+
+find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
+ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+DOCS="VERSION LICENSE CHANGELOG.md README.adoc"
+
+find $PKG/usr/man -type f -exec gzip -9 {} \;
+for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+
+install -D -m 0644 $CWD/config/usbguard.logrotate $PKG/etc/logrotate.d/usbguard.new
+install -D -m 0644 $CWD/config/rc.usbguard $PKG/etc/rc.d/rc.usbguard.new
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a $DOCS $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/system/usbguard/usbguard.info b/system/usbguard/usbguard.info
new file mode 100644
index 0000000000000..0a913747667b5
--- /dev/null
+++ b/system/usbguard/usbguard.info
@@ -0,0 +1,10 @@
+PRGNAM="usbguard"
+VERSION="0.7.4"
+HOMEPAGE="https://usbguard.github.io/"
+DOWNLOAD="https://github.com/USBGuard/usbguard/releases/download/usbguard-0.7.4/usbguard-0.7.4.tar.gz"
+MD5SUM="1cebf50ed9fdbd83f989fcb2e1ae4493"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+REQUIRES="protobuf libqb libsodium"
+MAINTAINER="Michael Edie"
+EMAIL="michael@sawbox.net"