From Fedora Project Wiki

Revision as of 09:41, 21 March 2017 by Mildew (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

This test case tests usbguard CLI rule management.

Setup

  1. Ensure the usbguard package is installed
  2. To start from a clean state, ensure that the usbguard service is stopped and that there's no existing policy.
  3. Ensure that there's at least one USB device connected to your system which can be disconnected and connected again. For example a USB flash drive. Do not use a USB keyboard if it's your only keyboard. You'll need it to type in the commands ;-)
How to get to a clean state
As root, run systemctl stop usbguard and rm -f /etc/usbguard/rules.conf. This will remove your policy, so make a backup if you don't want to lose it.

How to test

  1. Start the usbguard service:
    # systemctl start usbguard
  2. Check that your connected USB devices are still working.
  3. List rules using the usbguard tool and check that there are no rules:
    # usbguard list-rules
  4. Create a permanent allow rule for the connected USB device:
    # usbguard list-devices
    # usbguard allow-device -p <device_id>
  5. List rules and check that there is an allow rule for the device:
    # usbguard list-rules
  6. Disconnect the USB device and connect it again. Check that it's working.
  7. Restart the usbguard service:
    # systemctl restart usbguard
  8. Disconnect the USB device and connect it again. Check that it's working.
  9. Remove the allow rule:
    # usbguard remove-rule <id>
  10. Disconnect the USB device and connect it again. Check that it's NOT working.

Expected Results

  1. Connected USB devices work after the usbguard service start.
  2. Permanent changes to the policy survive usbguard service restart.
  3. While the usbguard service is running, the USB device works if it's reconnected and there's a matching allow rule for the device.
  4. While the usbguard service is running, the USB device does NOT work when it's reconnected and there's no matching allow rule for the device.