diff --git a/Containerfile b/Containerfile
index b66076e..fe417d4 100644
--- a/Containerfile
+++ b/Containerfile
@@ -6,7 +6,8 @@ FROM quay.io/fedora-ostree-desktops/silverblue:${FEDORA_MAJOR_VERSION}
 COPY rootfs/ /
 
 RUN systemctl enable rpm-ostree-kargs.service && \
-    rpm-ostree install chromium haveged && \
+    rpm-ostree install chromium haveged usbguard && \
     rpm-ostree override remove firefox firefox-langpacks && \
     rpm-ostree cleanup -m && \
+    systemctl enable usbguard.service && \
     ostree container commit
diff --git a/README.md b/README.md
index 51b4a3a..63772e8 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ Features
 - Set additional kernel runtime parameters.
 - Blacklist rarely used kernel modules.
 - Replace Firefox with Chromium.
+- Install and enable [USBGuard][5].
 
 Verification
 ------------
@@ -39,3 +40,4 @@ References
 [2]: https://madaidans-insecurities.github.io/guides/linux-hardening.html
 [3]: https://wiki.archlinux.org/title/Security
 [4]: https://docs.sigstore.dev/cosign/overview/
+[5]: https://github.com/USBGuard/usbguard
diff --git a/rootfs/etc/systemd/system/usbguard.service.d/override.conf b/rootfs/etc/systemd/system/usbguard.service.d/override.conf
new file mode 100644
index 0000000..ad10b96
--- /dev/null
+++ b/rootfs/etc/systemd/system/usbguard.service.d/override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStartPre=-mkdir -p /var/log/usbguard
+ExecStartPre=-/bin/sh -C -c 'usbguard generate-policy > /etc/usbguard/rules.d/custom.conf'