Re: Auditing USB Question

On Wednesday, July 31, 2013 08:15:21 PM Josh wrote: > That appears to only cover the mounting of filesystems, not any usb device > insertion. Specifically I'd like to capture the insertion of a USB > keyboard, USB mouse, or USB thumb-drive. There is no support for that. Auditing is mostly shaped by common criteria requirements. CC takes the point of view that data import and export is of interest. In order to do that, you have to mount a file system. So, the solution is to watch for mounts. The act of inserting a device has not been considered security relevant because it also says that there is physical security of the data center and random people can't stick random devices into the computer That said...there is the real world. I could see this being interesting for very paranoid setups where a random device could be inserted and start fuzzing the kernel to inject code. But if we consider this, there is also bluetooth and firewire and who knows what other interface to worry about. It might be possible to find the udev code that gets executed and place a watch on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event which ausearch/report will not impose and control over. -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit