#

# Rule set file path.

#

# The USBGuard daemon will use this file to load the policy

# rule set from it and to write new rules received via the

# IPC interface.

#

# RuleFile=/path/to/rules.conf

#

RuleFile=/etc/usbguard/rules.conf

#

# Implicit policy target.

#

# How to treat devices that don't match any rule in the

# policy. One of:

#

# * allow  - authorize the device

# * block  - block the device

# * reject - remove the device

#

ImplicitPolicyTarget=block

#

# Present device policy.

#

# How to treat devices that are already connected when the

# daemon starts. One of:

#

# * allow        - authorize every present device

# * block        - deauthorize every present device

# * reject       - remove every present device

# * keep         - just sync the internal state and leave it

# * apply-policy - evaluate the ruleset for every present

#                  device

#

PresentDevicePolicy=apply-policy

#

# Present controller policy.

#

# How to treat USB controllers that are already connected

# when the daemon starts. One of:

#

# * allow        - authorize every present device

# * block        - deauthorize every present device

# * reject       - remove every present device

# * keep         - just sync the internal state and leave it

# * apply-policy - evaluate the ruleset for every present

#                  device

#

PresentControllerPolicy=keep

#!!! WARNING: It's good practice to set at least one of the !!!

#!!!          two options bellow. If none of them are set,  !!!

#!!!          the daemon will accept IPC connections from   !!!

#!!!          anyone, thus allowing anyone to modify the    !!!

#!!!          rule set and (de)authorize USB devices.       !!!

#

# Users allowed to use the IPC interface.

#

# A space delimited list of usernames that the daemon will

# accept IPC connections from.

#

# IPCAllowedUsers=username1 username2 ...

#

IPCAllowedUsers=root

#

# Groups allowed to use the IPC interface.

#

# A space delimited list of groupnames that the daemon will

# accept IPC connections from.

#

# IPCAllowedGroups=groupname1 groupname2 ...

#

IPCAllowedGroups=wheel

#

# Generate device specific rules including the "via-port"

# attribute.

#

# This option modifies the behavior of the allowDevice

# action. When instructed to generate a permanent rule,

# the action can generate a port specific rule. Because

# some systems have unstable port numbering, the generated

# rule might not match the device after rebooting the system.

#

# If set to false, the generated rule will still contain

# the "parent-hash" attribute which also defines an association

# to the parent device. See usbguard-rules.conf(5) for more

# details.

#

DeviceRulesWithPort=false

#

# USBGuard audit events log file path.

#

AuditFilePath=/var/log/usbguard/usbguard-audit.log