From 81c89d0ecb5eb4eaa5de7fb3eb60177772f05d8c Mon Sep 17 00:00:00 2001 From: FollieHiyuki Date: Tue, 22 Mar 2022 00:16:49 +0700 Subject: [PATCH] usbguard: generate policy for connected devices Also nftables: don't start the service right away (the nftables module might not be loaded immediately) --- README.md | 2 +- roles/nftables/tasks/main.yml | 1 - roles/usbguard/tasks/main.yml | 17 +++++++++++++++++ 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e3337b0..b01fd30 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ $ sudo ansible-playbook -v setup.yml - [ ] [libudev-zero](https://github.com/illiliti/libudev-zero/) - [x] ACPI events - [ ] Better way to handle libvirt's firewall rules (currently hardcoded) -- [ ] /etc/security/access.conf (maybe) +- [ ] /etc/security/access.conf (maybe?) - [ ] snapper / btrbk (rootfs=btrfs) ## 📄 License diff --git a/roles/nftables/tasks/main.yml b/roles/nftables/tasks/main.yml index 1d6209f..7537068 100644 --- a/roles/nftables/tasks/main.yml +++ b/roles/nftables/tasks/main.yml @@ -17,4 +17,3 @@ name: nftables runlevel: default enabled: yes - state: started diff --git a/roles/usbguard/tasks/main.yml b/roles/usbguard/tasks/main.yml index 98b12f3..8dd6056 100644 --- a/roles/usbguard/tasks/main.yml +++ b/roles/usbguard/tasks/main.yml @@ -20,3 +20,20 @@ runlevel: default enabled: yes state: started + +- name: usbguard | Check whether there are defined policies + stat: + path: /etc/usbguard/rules.conf + register: have_policies + +# Or else you will be locked out from your desktop with no keyboards and mice +- name: usbguard | Generate policies for currently connected devices + shell: /usr/bin/usbguard generate-policy > /etc/usbguard/rules.conf + when: have_policies.stat.size == 0 + +- name: usbguard | Ensure correct permissions for /etc/usbguard/rules.conf + file: + path: /etc/usbguard/rules.conf + owner: root + group: root + mode: 0600