From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing USB Question
Date: Thu, 01 Aug 2013 12:35:42 -0400
Message-ID: <2851419.3BDt02r3tb@x2>
References: <51F93037.5000202@gmail.com>
	<CAP6dAmdUHdrxx7Y5XS9Otd2FV9bB9wLGy3-98dTpX20P_CQ8NA@mail.gmail.com>
	<7DF115C1-B9AB-4F69-8D28-FBF4A4E304BA@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-60-66.rdu2.redhat.com [10.10.60.66])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r71GZwAm010934
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Thu, 1 Aug 2013 12:35:59 -0400
In-Reply-To: <7DF115C1-B9AB-4F69-8D28-FBF4A4E304BA@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> That appears to only cover the mounting of filesystems, not any usb device
> insertion.  Specifically I'd like to capture the insertion of a USB
> keyboard, USB mouse, or USB thumb-drive.

There is no support for that. Auditing is mostly shaped by common criteria 
requirements. CC takes the point of view that data import and export is of 
interest. In order to do that, you have to mount a file system. So, the 
solution is to watch for mounts. The act of inserting a device has not been 
considered security relevant because it also says that there is physical 
security of the data center and random people can't stick random devices into 
the computer

That said...there is the real world. I could see this being interesting for 
very paranoid setups where a random device could be inserted and start fuzzing 
the kernel to inject code. But if we consider this, there is also bluetooth 
and firewire and who knows what other interface to worry about.

It might be possible to find the udev code that gets executed and place a watch 
on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event which 
ausearch/report will not impose and control over.

-Steve