Hello Guys,
In past couple of weeks i was working on a small project with very specific objective where i need to enable and disable the usb support on linux based edge device. I have use raspberry pi 4 as i don't have any other supported industrial controller with me.
I have started with installing the default available os on the rasberry pi and i was able to login on the system which looks like
after doing it i need to enable and disable the usb support on lets say hundreds of devices so its automation is the way cant do it manually at the same time i need to make sure that system should not required reboot other wise it will beat the purpose. so i can not go with conventional way of disabling the usb support at kernel level.
so after much google i have come across a utility in linux called usbguard which can be helpful. once the approach is finalised then i have moved into the write a playbook the playbook looks as
---
- name: enable disable USB
hosts: "{{target}}"
become: true
vars:
enable_usb: allow
tasks:
- name: Install usb guard on redhat family os
ansible.builtin.yum:
name: usbguard
state: present
when: ansible_facts['os_family'] == 'RedHat'
- name: Install usb guard on others
ansible.builtin.apt:
name: usbguard
state: present
when: ansible_facts['os_family'] == 'Debian'
- name: Install usb guard on the edge devices
ansible.builtin.template:
src: usbguard-daemon.conf.j2
dest: /etc/usbguard/usbguard-daemon.conf
owner: root
group: root
mode: '0600'
- name: restart usb guard service to {{ enable_usb }}
ansible.builtin.service:
name: usbguard
state: restarted
enabled: true
and template look like
RuleFile=/etc/usbguard/rules.conf
RuleFolder=/etc/usbguard/rules.d/
ImplicitPolicyTarget={{ enable_usb }}
PresentDevicePolicy={{ enable_usb}}
PresentControllerPolicy={{enable_usb}}
InsertedDevicePolicy=apply-policy
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=wheel
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=FileAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log
using above automation i can enable and disable the usb support with the redhat aap with a one click
with This one job i can get my job done