Auditing USB Question - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Auditing USB Question

Re: Auditing USB Question

audit 2.3.2 released

Josh

Wednesday, 31 July 2013 Wed, 31 Jul '13

10:41 a.m.

I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start. Do I need to be auditing a specific syscall, should it be a udev configuration? Any tips would be greatly appreciated. Thanks, -josh

Reply

Show replies by date

lists_todd＠mac.com

Wednesday, 31 July Wed, 31 Jul

7:43 p.m.

On Jul 31, 2013, at 8:41 AM, Josh <jokajak(a)gmail.com> wrote:

I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start. Do I need to be auditing a specific syscall, should it be a udev configuration? Any tips would be greatly appreciated.

On my Mac (and BSM) I use syslog data to identify USB inserts, which includes the USB's manufacturer, model number, and serial number. Then I look at the mount command in the BSM data to see where it was mounted in the file system. Since I monitor all file reads and writes in BSM, I can also tell what files were read from or written to that USB thumb drive. See if the Linux syslog messages contain the USB insert information. Todd

Reply

4160

days inactive

4161

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Josh
lists_todd＠mac.com