On Jul 31, 2013, at 5:47 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:

my guess is
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export

refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

On Wed, Jul 31, 2013 at 8:41 AM, Josh <jokajak@gmail.com> wrote:
I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start.

Do I need to be auditing a specific syscall, should it be a udev configuration?

Any tips would be greatly appreciated.

Thanks,
-josh

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

That appears to only cover the mounting of filesystems, not any usb device insertion. Specifically I'd like to capture the insertion of a USB keyboard, USB mouse, or USB thumb-drive.

Thanks,

-josh