Consider updating 30_security-misc.conf

[wakesend]

https://github.com/Kicksecure/security-misc/blob/master/etc/usbguard/rules.d/30_security-misc.conf%23security-misc-shared

I cherry-picked your config to harden multiple Debian 13s, and noticed those lines:

## Allow only one keyboard to be connected
allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })
## Allow only one mouse to be connected
allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 })

• Using equals here is incorrect
• Also, if !allowed-matches may cause problems on some PCs

---

Using equals here is incorrect

allow with-interface equals { 03:01:01 } expect the USB-connected device have only ONE interface, 03:01:01.
The problem is there are many keyboard devices which has another interface

# cat /etc/usbguard/rules.conf|grep 03:01:01
allow id xxxx:xxxx serial "" name "Input Receiver" hash "xxxx" parent-hash "xxxx" via-port "X" with-interface { 03:01:01 03:01:02 } <---
allow id xxxx:xxxx serial "" name "Mouse" hash "xxxx" parent-hash "xxxx" via-port "X" with-interface { 03:01:02 03:00:01 03:01:01 }
allow id xxxx:xxxx serial "" name "Keyboard" hash "xxxx" parent-hash "xxxx" via-port "X with-interface 03:01:01 <-- my real USB keyboard

In my case, there is { 03:01:01 03:01:02 } device. "equals" won't match this device, thus will be denied.

if !allowed-matches mistake

Again, both rule uses "equals", expecting exact interface match.
What about this mouse: allow id xxxx:xxxx serial "" name "Mouse" hash "xxxx" parent-hash "xxxx" via-port "X" with-interface { 03:01:02 03:00:01 03:01:01 }, this is famous brand mouse. Your rule never apply to this because of "equals".

My suggestion

• Simplify the rule, because there are many PCs which has internal keyboard-like device (e.g., some PC has keyboard-like device for PC's boot switch!)
• This means "Allow only one" condition is not universal at all.

# Simply allow keyboard/mouse interface
allow with-interface one-of { 03:01:01 03:01:02 }

[wakesend]

Also see "Allow a keyboard-only USB device only if there isn’t already a USB device with a keyboard interface allowed" https://usbguard.github.io/documentation/rule-language , it uses one-of

[ArrayBolt3]

allow with-interface equals { 03:01:01 } expect the USB-connected device have only ONE interface, 03:01:01.
The problem is there are many keyboard devices which has another interface

This is a known issue, and unfortunately similarly to #350 there's not much that can be done to keep this from causing problems. Should a device that looks like two keyboards be allowed? There are USB cables in existence that embed a keyboard emulator that can attack a device. If someone's perfectly normal keyboard is connected through one of those, and it presents as two keyboards, that would be a problem. There's no reasonable way (to my awareness, correct me if I'm wrong) to distinguish that case from a normal keyboard that presents itself as multiple devices for some reason. This is why we configure USBGuard to accept all devices that are plugged in when the system boots; it allows those kinds of devices to be used anyway, but with a caveat that will hopefully reduce risks. The same security issues exist with the mouse in question, and the same workaround applies.

[garganzol]

there's no reasonable way (to my awareness, correct me if I'm wrong) to distinguish that case from a normal keyboard

allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })

USBGuard has with-connect-type flag, why not use it?

e.g.,

# Restrict 2nd device, only if the device is connected externally (USB)
allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 }) with-connect-type "hotplug"

[ArrayBolt3]

@garganzol I don't see a with-connect-type feature documented at https://usbguard.github.io/documentation/rule-language.html.