On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb@redhat.com> wrote:

On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> That appears to only cover the mounting of filesystems, not any usb device
> insertion. Specifically I'd like to capture the insertion of a USB
> keyboard, USB mouse, or USB thumb-drive.

There is no support for that. Auditing is mostly shaped by common criteria
requirements. CC takes the point of view that data import and export is of
interest. In order to do that, you have to mount a file system. So, the
solution is to watch for mounts. The act of inserting a device has not been
considered security relevant because it also says that there is physical
security of the data center and random people can't stick random devices into
the computer

That said...there is the real world. I could see this being interesting for
very paranoid setups where a random device could be inserted and start fuzzing
the kernel to inject code. But if we consider this, there is also bluetooth
and firewire and who knows what other interface to worry about.

It might be possible to find the udev code that gets executed and place a watch
on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event which
ausearch/report will not impose and control over.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan@onyxpoint.com

-- This account not approved for unencrypted proprietary information --