usbguard: generate policy for connected devices
Also nftables: don't start the service right away (the nftables module might not be loaded immediately)
This commit is contained in:
parent
a3595c7e21
commit
81c89d0ecb
|
@ -68,7 +68,7 @@ $ sudo ansible-playbook -v setup.yml
|
|||
- [ ] [libudev-zero](https://github.com/illiliti/libudev-zero/)
|
||||
- [x] ACPI events
|
||||
- [ ] Better way to handle libvirt's firewall rules (currently hardcoded)
|
||||
- [ ] /etc/security/access.conf (maybe)
|
||||
- [ ] /etc/security/access.conf (maybe?)
|
||||
- [ ] snapper / btrbk (rootfs=btrfs)
|
||||
|
||||
## 📄 License
|
||||
|
|
|
@ -17,4 +17,3 @@
|
|||
name: nftables
|
||||
runlevel: default
|
||||
enabled: yes
|
||||
state: started
|
||||
|
|
|
@ -20,3 +20,20 @@
|
|||
runlevel: default
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: usbguard | Check whether there are defined policies
|
||||
stat:
|
||||
path: /etc/usbguard/rules.conf
|
||||
register: have_policies
|
||||
|
||||
# Or else you will be locked out from your desktop with no keyboards and mice
|
||||
- name: usbguard | Generate policies for currently connected devices
|
||||
shell: /usr/bin/usbguard generate-policy > /etc/usbguard/rules.conf
|
||||
when: have_policies.stat.size == 0
|
||||
|
||||
- name: usbguard | Ensure correct permissions for /etc/usbguard/rules.conf
|
||||
file:
|
||||
path: /etc/usbguard/rules.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
|
|
Reference in New Issue