Re: Auditing USB Question
On Jul 31, 2013, at 5:47 PM, zhu xiuming <xiumingzhu(a)gmail.com> wrote:
my guess is
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
On Wed, Jul 31, 2013 at 8:41 AM, Josh <jokajak(a)gmail.com> wrote:
I'd like to audit the insertion and removal of all USB devices but I'm not sure
where to start.
Do I need to be auditing a specific syscall, should it be a udev configuration?
Any tips would be greatly appreciated.
Thanks,
-josh
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
That appears to only cover the mounting of filesystems, not any usb device insertion.
Specifically I'd like to capture the insertion of a USB keyboard, USB mouse, or USB
thumb-drive.
Thanks,
-josh
Attachments:
- attachment.html (text/html — 1.8 KB)