Re: Auditing USB Question

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditing USB Question
Date: Thu, 01 Aug 2013 12:35:42 -0400	[thread overview]
Message-ID: <2851419.3BDt02r3tb@x2> (raw)
In-Reply-To: <7DF115C1-B9AB-4F69-8D28-FBF4A4E304BA@gmail.com>

On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> That appears to only cover the mounting of filesystems, not any usb device
> insertion.  Specifically I'd like to capture the insertion of a USB
> keyboard, USB mouse, or USB thumb-drive.

There is no support for that. Auditing is mostly shaped by common criteria 
requirements. CC takes the point of view that data import and export is of 
interest. In order to do that, you have to mount a file system. So, the 
solution is to watch for mounts. The act of inserting a device has not been 
considered security relevant because it also says that there is physical 
security of the data center and random people can't stick random devices into 
the computer

That said...there is the real world. I could see this being interesting for 
very paranoid setups where a random device could be inserted and start fuzzing 
the kernel to inject code. But if we consider this, there is also bluetooth 
and firewire and who knows what other interface to worry about.

It might be possible to find the udev code that gets executed and place a watch 
on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event which 
ausearch/report will not impose and control over.

-Steve

next prev parent reply	other threads:[~2013-08-01 16:35 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-31 15:41 Auditing USB Question Josh
     [not found] ` <CAP6dAmdUHdrxx7Y5XS9Otd2FV9bB9wLGy3-98dTpX20P_CQ8NA@mail.gmail.com>
2013-08-01  0:15   ` Josh
2013-08-01 16:35     ` Steve Grubb [this message]
2013-08-01 18:04       ` Trevor Vaughan
2013-08-02 14:30         ` Josh
2013-08-01  0:43 ` lists_todd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2851419.3BDt02r3tb@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox