Re: Capturing USB insertions and removal events with auditd
On Fri, Sep 21, 2012 at 8:05 AM, Diaz, DavidA (Plymouth)
<DavidA.Diaz(a)atk.com> wrote:
Hi:
I am wondering how to use auditd and specifically ausearch, to pull out USB
thumbdrive event insertions and removals on my Redhat Enterprise Linux 6
Server?
I can see very easily in the /var/log/messages file detailed logging when I
insert a USB thumbdrive and when I then remove it. But I would really like
to be able to use auditd’s ausearch utility to pull these types of events
out. Any ideas on what my audit.rule should be, and the syntax for ausearch
to extract it for reporting purposes?
When I do look at the audit.log to see what is being captured when I insert
the USB stick, I see indications of comm=”usb_id”… But when I remove it, I
do not see any usb text only the umount command.
Thanks, I am relatively new to ausearch so any suggestions would be
appreciated!
I'm not sure where RH6 automounts things, but this works on my Ubuntu
10.04 machine (usb is automounted to /media/<device name>)
auditctl -a exit,always -F arch=b64 -S mount -S umount2 -F dir=/media
-F success=1 -k usb
This generates logs like:
inserting:
type=SYSCALL msg=audit(1348240497.657:40): arch=c000003e syscall=165
success=yes exit=0 a0=20b6230 a1=20b62d0 a2=20b62f0
a3=ffffffffc0ed0006 items=2 ppid=1990 pid=5269 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mount" exe="/bin/mount" key="usb"
type=CWD msg=audit(1348240497.657:40): cwd="/"
type=PATH msg=audit(1348240497.657:40): item=0 name="/media/3930-6538"
inode=3932162 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1348240497.657:40): item=1 name=(null)
inode=1193948 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:11
pulling usb drive out:
type=SYSCALL msg=audit(1348240843.086:45): arch=c000003e syscall=166
success=yes exit=0 a0=974eb0 a1=2 a2=0 a3=7fff202c7230 items=1
ppid=1990 pid=6972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount"
exe="/bin/umount" key="usb"
type=CWD msg=audit(1348240843.086:45): cwd="/"
type=PATH msg=audit(1348240843.086:45): item=0 name="/media/3930-6538"
inode=1 dev=08:11 mode=040700 ouid=11532 ogid=5000 rdev=00:00