From 70e9e581078038f9c89a75c990b6d094783346ef Mon Sep 17 00:00:00 2001
From: Agus Lopez <contact@aguslr.com>
Date: Fri, 21 Jul 2023 14:02:18 +0200
Subject: [PATCH] Install and enable USBGuard

https://madaidans-insecurities.github.io/guides/linux-hardening.html#usbs
---
 Containerfile                                              | 3 ++-
 README.md                                                  | 2 ++
 rootfs/etc/systemd/system/usbguard.service.d/override.conf | 3 +++
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 rootfs/etc/systemd/system/usbguard.service.d/override.conf

diff --git a/Containerfile b/Containerfile
index b66076e..fe417d4 100644
--- a/Containerfile
+++ b/Containerfile
@@ -6,7 +6,8 @@ FROM quay.io/fedora-ostree-desktops/silverblue:${FEDORA_MAJOR_VERSION}
 COPY rootfs/ /
 
 RUN systemctl enable rpm-ostree-kargs.service && \
-    rpm-ostree install chromium haveged && \
+    rpm-ostree install chromium haveged usbguard && \
     rpm-ostree override remove firefox firefox-langpacks && \
     rpm-ostree cleanup -m && \
+    systemctl enable usbguard.service && \
     ostree container commit
diff --git a/README.md b/README.md
index 51b4a3a..63772e8 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ Features
 - Set additional kernel runtime parameters.
 - Blacklist rarely used kernel modules.
 - Replace Firefox with Chromium.
+- Install and enable [USBGuard][5].
 
 Verification
 ------------
@@ -39,3 +40,4 @@ References
 [2]: https://madaidans-insecurities.github.io/guides/linux-hardening.html
 [3]: https://wiki.archlinux.org/title/Security
 [4]: https://docs.sigstore.dev/cosign/overview/
+[5]: https://github.com/USBGuard/usbguard
diff --git a/rootfs/etc/systemd/system/usbguard.service.d/override.conf b/rootfs/etc/systemd/system/usbguard.service.d/override.conf
new file mode 100644
index 0000000..ad10b96
--- /dev/null
+++ b/rootfs/etc/systemd/system/usbguard.service.d/override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStartPre=-mkdir -p /var/log/usbguard
+ExecStartPre=-/bin/sh -C -c 'usbguard generate-policy > /etc/usbguard/rules.d/custom.conf'