usbguard: generate policy for connected devices
Also nftables: don't start the service right away (the nftables module might not be loaded immediately)
This commit is contained in:
parent
a3595c7e21
commit
81c89d0ecb
|
@ -68,7 +68,7 @@ $ sudo ansible-playbook -v setup.yml
|
||||||
- [ ] [libudev-zero](https://github.com/illiliti/libudev-zero/)
|
- [ ] [libudev-zero](https://github.com/illiliti/libudev-zero/)
|
||||||
- [x] ACPI events
|
- [x] ACPI events
|
||||||
- [ ] Better way to handle libvirt's firewall rules (currently hardcoded)
|
- [ ] Better way to handle libvirt's firewall rules (currently hardcoded)
|
||||||
- [ ] /etc/security/access.conf (maybe)
|
- [ ] /etc/security/access.conf (maybe?)
|
||||||
- [ ] snapper / btrbk (rootfs=btrfs)
|
- [ ] snapper / btrbk (rootfs=btrfs)
|
||||||
|
|
||||||
## 📄 License
|
## 📄 License
|
||||||
|
|
|
@ -17,4 +17,3 @@
|
||||||
name: nftables
|
name: nftables
|
||||||
runlevel: default
|
runlevel: default
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
|
||||||
|
|
|
@ -20,3 +20,20 @@
|
||||||
runlevel: default
|
runlevel: default
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: usbguard | Check whether there are defined policies
|
||||||
|
stat:
|
||||||
|
path: /etc/usbguard/rules.conf
|
||||||
|
register: have_policies
|
||||||
|
|
||||||
|
# Or else you will be locked out from your desktop with no keyboards and mice
|
||||||
|
- name: usbguard | Generate policies for currently connected devices
|
||||||
|
shell: /usr/bin/usbguard generate-policy > /etc/usbguard/rules.conf
|
||||||
|
when: have_policies.stat.size == 0
|
||||||
|
|
||||||
|
- name: usbguard | Ensure correct permissions for /etc/usbguard/rules.conf
|
||||||
|
file:
|
||||||
|
path: /etc/usbguard/rules.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
|
Reference in New Issue