7:15 p.m.
On Jul 31, 2013, at 5:47 PM, zhu xiuming <xiumingzhu(a)gmail.com> wrote:
my guess is
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
On Wed, Jul 31, 2013 at 8:41 AM, Josh <jokajak(a)gmail.com> wrote:
I'd like to audit the insertion and removal of all USB devices but I'm not sure
where to start.
Do I need to be auditing a specific syscall, should it be a udev configuration?
Any tips would be greatly appreciated.
Thanks,
-josh
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
That appears to only cover the mounting of filesystems, not any usb device insertion.
Specifically I'd like to capture the insertion of a USB keyboard, USB mouse, or USB
thumb-drive.
Thanks,
-josh
11:35 a.m.
New subject: Auditing USB Question
On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
That appears to only cover the mounting of filesystems, not any usb
device
insertion. Specifically I'd like to capture the insertion of a USB
keyboard, USB mouse, or USB thumb-drive.
There is no support for that. Auditing is mostly shaped by common criteria
requirements. CC takes the point of view that data import and export is of
interest. In order to do that, you have to mount a file system. So, the
solution is to watch for mounts. The act of inserting a device has not been
considered security relevant because it also says that there is physical
security of the data center and random people can't stick random devices into
the computer
That said...there is the real world. I could see this being interesting for
very paranoid setups where a random device could be inserted and start fuzzing
the kernel to inject code. But if we consider this, there is also bluetooth
and firewire and who knows what other interface to worry about.
It might be possible to find the udev code that gets executed and place a watch
on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event which
ausearch/report will not impose and control over.
-Steve
1:04 p.m.
New subject: Auditing USB Question
You don't have to mount media to pull off the data.
dd + one of any number of user space utils can extract data.
But, UDEV is probably the correct subsystem for this.
Trevor
On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> That appears to only cover the mounting of filesystems, not any usb
device
> insertion. Specifically I'd like to capture the insertion of a USB
> keyboard, USB mouse, or USB thumb-drive.
There is no support for that. Auditing is mostly shaped by common criteria
requirements. CC takes the point of view that data import and export is of
interest. In order to do that, you have to mount a file system. So, the
solution is to watch for mounts. The act of inserting a device has not been
considered security relevant because it also says that there is physical
security of the data center and random people can't stick random devices
into
the computer
That said...there is the real world. I could see this being interesting for
very paranoid setups where a random device could be inserted and start
fuzzing
the kernel to inject code. But if we consider this, there is also bluetooth
and firewire and who knows what other interface to worry about.
It might be possible to find the udev code that gets executed and place a
watch
on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event
which
ausearch/report will not impose and control over.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com
-- This account not approved for unencrypted proprietary information --
9:30 a.m.
New subject: Auditing USB Question
On 08/01/2013 02:04 PM, Trevor Vaughan wrote:
You don't have to mount media to pull off the data.
dd + one of any number of user space utils can extract data.
But, UDEV is probably the correct subsystem for this.
Trevor
On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb(a)redhat.com
<mailto:sgrubb@redhat.com>> wrote:
On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> That appears to only cover the mounting of filesystems, not any
usb device
> insertion. Specifically I'd like to capture the insertion of a USB
> keyboard, USB mouse, or USB thumb-drive.
There is no support for that. Auditing is mostly shaped by common
criteria
requirements. CC takes the point of view that data import and
export is of
interest. In order to do that, you have to mount a file system.
So, the
solution is to watch for mounts. The act of inserting a device has
not been
considered security relevant because it also says that there is
physical
security of the data center and random people can't stick random
devices into
the computer
That said...there is the real world. I could see this being
interesting for
very paranoid setups where a random device could be inserted and
start fuzzing
the kernel to inject code. But if we consider this, there is also
bluetooth
and firewire and who knows what other interface to worry about.
It might be possible to find the udev code that gets executed and
place a watch
on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP
event which
ausearch/report will not impose and control over.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com <mailto:Linux-audit@redhat.com>
https://www.redhat.com/mailman/listinfo/linux-audit
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan(a)onyxpoint.com <mailto:tvaughan@onyxpoint.com>
-- This account not approved for unencrypted proprietary information --
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
I decided to write a simple udev rule that is triggered when a USB
device is added. From here I can use environment variables to choose
which data gets sent to the audit system as a USER message. This will be
enough for our purposes.
For reverence, here is the udev rule:
ACTION=="add", SUBSYSTEM=="usb",
RUN+="/usr/local/sbin/usb_device_add.sh"
Thanks!
-josh
4159
days inactive
4160
days old
linux-audit@lists.linux-audit.osci.io
3 comments
3 participants
participants (3)
-
Josh -
Steve Grubb -
Trevor Vaughan