Skip to content

SolverNA/usb-auth-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

28 Commits
debian
debian
Β 
Β 
src
src
Β 
Β 
.gitignore
.gitignore
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 
install.sh
install.sh
Β 
Β 
uninstall.sh
uninstall.sh
Β 
Β 

Repository files navigation

usb-auth-guard

Blocks all USB devices by default and shows a native polkit password dialog before allowing any new device.

Protects against:

  • BadUSB / Rubber Ducky / O.MG Cable β€” HID injection blocked until auth
  • USB data exfiltration β€” drives require password
  • Physical access attacks β€” VID:PID spoofing doesn't help
Insert USB β†’ USBGuard blocks it
                ↓
      usb-auth-guard detects event
                ↓
      Password dialog appears
                ↓
  Correct password β†’ device works
  Cancel / wrong   β†’ device stays blocked

Supported distributions

Distro Status
Debian / Ubuntu / Kali βœ… Supported
Arch Linux / Manjaro βœ… Supported
Other systemd-based ⚠️ May work (manual dependency install required)

The installer auto-detects pacman or apt-get and uses the correct package names.

Install

curl -fsSL https://raw.githubusercontent.com/SolverNA/usb-auth-guard/master/install.sh | sudo bash

Then either:

  • Log out and log back in (recommended), or
  • Run: systemctl --user start usb-auth-guard

The service needs to start inside your graphical session for the dialog to appear.

Uninstall

curl -fsSL https://raw.githubusercontent.com/SolverNA/usb-auth-guard/master/uninstall.sh | sudo bash

Troubleshooting

No password prompt appears

# Check service status
systemctl --user status usb-auth-guard
journalctl --user -u usb-auth-guard -f

# Check usbguard-dbus
sudo systemctl status usbguard-dbus

Keyboard/mouse blocked after install

# Allow all devices temporarily
sudo sed -i 's/ImplicitPolicyTarget=.*/ImplicitPolicyTarget=allow/' /etc/usbguard/usbguard-daemon.conf
sudo systemctl restart usbguard

# Reconnect devices, regenerate rules
sudo usbguard generate-policy | sudo tee /etc/usbguard/rules.conf

# Re-enable blocking
sudo sed -i 's/ImplicitPolicyTarget=.*/ImplicitPolicyTarget=block/' /etc/usbguard/usbguard-daemon.conf
sudo systemctl restart usbguard

View logs

journalctl --user -u usb-auth-guard -f   # user service
sudo journalctl -u usbguard -f           # usbguard

Alternative install methods

From source (git clone)

git clone https://github.com/SolverNA/usb-auth-guard
cd usb-auth-guard
sudo make install
systemctl --user enable --now usb-auth-guard

Build .deb package (Debian/Ubuntu only)

git clone https://github.com/SolverNA/usb-auth-guard
cd usb-auth-guard
make deb
sudo apt install ./usb-auth-guard_1.0.0.deb
systemctl --user enable --now usb-auth-guard

How it works

Component Role
USBGuard Blocks devices at kernel level
usbguard-dbus Exposes events on D-Bus
usb-auth-guard Python daemon listening for events
polkit + pkexec Native password dialog
helper Root helper for usbguard allow-device

Authorization is per-session only β€” same device requires re-auth next time.

Requirements

  • systemd
  • Python 3
  • polkit / pkexec
  • Arch / Manjaro: usbguard python-dbus python-gobject
  • Debian / Ubuntu: usbguard python3-dbus python3-gi

All dependencies are installed automatically by the installer.

License

MIT

About

πŸ”’ Block all USB devices by default β€” require password auth via polkit before any device is allowed. Protects against BadUSB, Rubber Ducky & HID injection attacks.

Topics

python debian kde rubber-ducky systemd dbus hardening pentest kali-linux badusb security-tools linux-security polkit physical-security usbguard endpoint-security hid-attack usb-security

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages