From mboxrd@z Thu Jan  1 00:00:00 1970
From: Josh <jokajak@gmail.com>
Subject: Re: Auditing USB Question
Date: Fri, 02 Aug 2013 10:30:54 -0400
Message-ID: <51FBC29E.4070603@gmail.com>
References: <51F93037.5000202@gmail.com>
	<CAP6dAmdUHdrxx7Y5XS9Otd2FV9bB9wLGy3-98dTpX20P_CQ8NA@mail.gmail.com>
	<7DF115C1-B9AB-4F69-8D28-FBF4A4E304BA@gmail.com>
	<2851419.3BDt02r3tb@x2>
	<CANs+FoW7O6Nxf6gfrf8-CjQ=d8Geqpy_PtWSN7WgTx2u4Yi4VQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1730045302294608345=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id r72EUwX6021470
	for <linux-audit@redhat.com>; Fri, 2 Aug 2013 10:30:58 -0400
Received: from mail-ve0-f173.google.com (mail-ve0-f173.google.com
	[209.85.128.173])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r72EUuWU007719
	for <linux-audit@redhat.com>; Fri, 2 Aug 2013 10:30:57 -0400
Received: by mail-ve0-f173.google.com with SMTP id cy12so728876veb.32
	for <linux-audit@redhat.com>; Fri, 02 Aug 2013 07:30:56 -0700 (PDT)
Received: from sis-jak-d02.ctisl.gtri.org (frontend.gtri.gatech.edu.
	[130.207.218.196])
	by mx.google.com with ESMTPSA id qh6sm571286vec.0.2013.08.02.07.30.55
	for <linux-audit@redhat.com>
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Fri, 02 Aug 2013 07:30:55 -0700 (PDT)
In-Reply-To: <CANs+FoW7O6Nxf6gfrf8-CjQ=d8Geqpy_PtWSN7WgTx2u4Yi4VQ@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.
--===============1730045302294608345==
Content-Type: multipart/alternative;
	boundary="------------010908000507070005010300"

This is a multi-part message in MIME format.
--------------010908000507070005010300
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

On 08/01/2013 02:04 PM, Trevor Vaughan wrote:
> You don't have to mount media to pull off the data.
>
> dd + one of any number of user space utils can extract data.
>
> But, UDEV is probably the correct subsystem for this.
>
> Trevor
>
>
> On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb@redhat.com 
> <mailto:sgrubb@redhat.com>> wrote:
>
>     On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
>     > That appears to only cover the mounting of filesystems, not any
>     usb device
>     > insertion.  Specifically I'd like to capture the insertion of a USB
>     > keyboard, USB mouse, or USB thumb-drive.
>
>     There is no support for that. Auditing is mostly shaped by common
>     criteria
>     requirements. CC takes the point of view that data import and
>     export is of
>     interest. In order to do that, you have to mount a file system.
>     So, the
>     solution is to watch for mounts. The act of inserting a device has
>     not been
>     considered security relevant because it also says that there is
>     physical
>     security of the data center and random people can't stick random
>     devices into
>     the computer
>
>     That said...there is the real world. I could see this being
>     interesting for
>     very paranoid setups where a random device could be inserted and
>     start fuzzing
>     the kernel to inject code. But if we consider this, there is also
>     bluetooth
>     and firewire and who knows what other interface to worry about.
>
>     It might be possible to find the udev code that gets executed and
>     place a watch
>     on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP
>     event which
>     ausearch/report will not impose and control over.
>
>     -Steve
>
>     --
>     Linux-audit mailing list
>     Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
>     https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> -- 
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaughan@onyxpoint.com <mailto:tvaughan@onyxpoint.com>
>
> -- This account not approved for unencrypted proprietary information --
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

I decided to write a simple udev rule that is triggered when a USB 
device is added.  From here I can use environment variables to choose 
which data gets sent to the audit system as a USER message. This will be 
enough for our purposes.

For reverence, here is the udev rule:

ACTION=="add", SUBSYSTEM=="usb", RUN+="/usr/local/sbin/usb_device_add.sh"

Thanks!
-josh

--------------010908000507070005010300
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 08/01/2013 02:04 PM, Trevor Vaughan
      wrote:<br>
    </div>
    <blockquote
cite="mid:CANs+FoW7O6Nxf6gfrf8-CjQ=d8Geqpy_PtWSN7WgTx2u4Yi4VQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>You don't have to mount media to pull off the data.<br>
              <br>
            </div>
            dd + one of any number of user space utils can extract data.<br>
            <br>
          </div>
          But, UDEV is probably the correct subsystem for this.<br>
          <br>
        </div>
        Trevor<br>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Thu, Aug 1, 2013 at 12:35 PM, Steve
          Grubb <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">On
            Wednesday, July 31, 2013 08:15:21 PM Josh wrote:<br>
            &gt; That appears to only cover the mounting of filesystems,
            not any usb device<br>
            &gt; insertion. &nbsp;Specifically I'd like to capture the
            insertion of a USB<br>
            &gt; keyboard, USB mouse, or USB thumb-drive.<br>
            <br>
            There is no support for that. Auditing is mostly shaped by
            common criteria<br>
            requirements. CC takes the point of view that data import
            and export is of<br>
            interest. In order to do that, you have to mount a file
            system. So, the<br>
            solution is to watch for mounts. The act of inserting a
            device has not been<br>
            considered security relevant because it also says that there
            is physical<br>
            security of the data center and random people can't stick
            random devices into<br>
            the computer<br>
            <br>
            That said...there is the real world. I could see this being
            interesting for<br>
            very paranoid setups where a random device could be inserted
            and start fuzzing<br>
            the kernel to inject code. But if we consider this, there is
            also bluetooth<br>
            and firewire and who knows what other interface to worry
            about.<br>
            <br>
            It might be possible to find the udev code that gets
            executed and place a watch<br>
            on that. Or perhaps modify udev code to send a
            AUDIT_TRUSTED_APP event which<br>
            ausearch/report will not impose and control over.<br>
            <br>
            -Steve<br>
            <br>
            --<br>
            Linux-audit mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a><br>
            <a moz-do-not-send="true"
              href="https://www.redhat.com/mailman/listinfo/linux-audit"
              target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <br>
        -- <br>
        Trevor Vaughan<br>
        Vice President, Onyx Point, Inc<br>
        (410) 541-6699<br>
        <a moz-do-not-send="true" href="mailto:tvaughan@onyxpoint.com">tvaughan@onyxpoint.com</a><br>
        <br>
        -- This account not approved for unencrypted proprietary
        information --
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">--
Linux-audit mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/linux-audit">https://www.redhat.com/mailman/listinfo/linux-audit</a></pre>
    </blockquote>
    <br>
    I decided to write a simple udev rule that is triggered when a USB
    device is added.&nbsp; From here I can use environment variables to
    choose which data gets sent to the audit system as a USER message.&nbsp;
    This will be enough for our purposes.<br>
    <br>
    For reverence, here is the udev rule:<br>
    <br>
    ACTION=="add", SUBSYSTEM=="usb",
    RUN+="/usr/local/sbin/usb_device_add.sh"<br>
    <br>
    Thanks!<br>
    -josh<br>
  </body>
</html>

--------------010908000507070005010300--


--===============1730045302294608345==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1730045302294608345==--