USBGuard

使用 usbguard 是防范恶意设备、橡皮鸭、OMG 电缆或 "等同于 3 个字母的政府机构 "等常见攻击的必要手段。

Especially thunderbolt (which can be blocked globally, see this config as to how can grant attackers access to your RAM, which means encryption keys and more.

1. Install USBGuard

   Debian/Ubuntu or Linux mint:

   sudo apt install usbguard usbutils udisks2 usbguard-notifier

   Fedora:

   sudo dnf install -y usbguard usbguard-notifier usbguard-selinux

2. Set it up

确保键盘和鼠标已插好。

这些命令将永久允许所有当前连接的设备：

pkexec sh -c '
        mkdir -p /var/log/usbguard
        mkdir -p /etc/usbguard
        chmod 755 /etc/usbguard
        usbguard generate-policy > /etc/usbguard/rules.conf
        systemctl enable --now usbguard.service
        usbguard add-user $1
    ' -- $ACTIVE_USERNAME
    systemctl enable --user --now usbguard-notifier.service