https://bugzilla.redhat.com/show_bug.cgi?id=1554021

            Bug ID: 1554021
           Summary: Review Request: usbauth - USB firewall against BadUSB
                    attacks
           Product: Fedora
           Version: rawhide
         Component: Package Review
          Severity: medium
          Assignee: nob...@fedoraproject.org
          Reporter: stefan.koc...@gmail.com
        QA Contact: extras...@fedoraproject.org
                CC: package-review@lists.fedoraproject.org



### usbauth ###

Spec URL:
https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00726579-usbauth/usbauth.spec

SRPM URL:
https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00726579-usbauth/usbauth-1.0-1.fc27.src.rpm

Description: It is a firewall against BadUSB attacks. A config file descibes in
which way USB interfaces would be accepted or denied.
To the kernel an interface authorization was developed with this firewall.
The firewall sets the authorization mask according to the rules.

#######################

Hi

I want to add the packages libusbauth-configparser, usbauth, usbauth-notifier
to Fedora. I need a review and a sponsor for packaging these packages.

The usbauth packages already part of openSUSE Tumbleweed, Debian Sid and Ubuntu
18.04 (pre).

This work was initially created for SUSE in 2015. Part of it was the USB
interface authorization for the Linux kernel. It's contained in Linux since
kernel version 4.4.
There are the following packages libusbauth-configparser, usbauth,
usbauth-notifier.

GIT Repository: https://github.com/kochstefan/usbauth-all.git

NOTICE aboud usbguard and usbauth:
The usbguard project provides an USB firewall, too. It is already packaged
within debian.
The usbguard development was supported by RedHat and usbauth was 
supported by SUSE. Historical, usbguard was published while the working 
on usbauth has already been started.
The main difference is that usbguard works with USB devices and usbauth works
with USB interfaces.

usbauth could allow/deny usb interfaces using the new usb interface 
authorization mechanism that is part of linux 4.4 and above.
See also: 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.4.94&qt=grep&q=interface+auth

Examples:
* allow a storage functionality of a USB device and deny USB Ethernet of 
the same device
* allow audio/video functionality of an USB TV card and deny using the 
remote control functionality
* allow USB printing/scanning and deny USB storage usage of a 
multifunction printer (BTW: the interface mechanism supports denying 
user space triggered actions (using USB claiming) like scanning)

usbguard could allow/deny USB devices using the usb device authorization 
mechanism of the Linux kernel.
It allows to denying a whole device if one interface of it is considered 
as bad (usbauth supports this, too)
usbguard allows creating actions that is not supported by usbauth.

If you can understand German language you could read 
a detailed description: 
https://epub.uni-bayreuth.de/3048/1/koch2017sicherheitsaspekte.pdf

Thank you

Stefan Koch

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list -- package-review@lists.fedoraproject.org
To unsubscribe send an email to package-review-le...@lists.fedoraproject.org

Reply via email to