From mboxrd@z Thu Jan 1 00:00:00 1970 From: Josh Subject: Re: Auditing USB Question Date: Wed, 31 Jul 2013 20:15:21 -0400 Message-ID: <7DF115C1-B9AB-4F69-8D28-FBF4A4E304BA@gmail.com> References: <51F93037.5000202@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) Content-Type: multipart/mixed; boundary="===============1288231224796095029==" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id r710FPNl028891 for ; Wed, 31 Jul 2013 20:15:25 -0400 Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r710FN6k026230 for ; Wed, 31 Jul 2013 20:15:24 -0400 Received: by mail-vb0-f54.google.com with SMTP id q14so1469724vbe.13 for ; Wed, 31 Jul 2013 17:15:23 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: zhu xiuming Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1288231224796095029== Content-Type: multipart/alternative; boundary="Apple-Mail=_AC3D84A7-FC28-4846-B5E3-2CAD905BEEEE" --Apple-Mail=_AC3D84A7-FC28-4846-B5E3-2CAD905BEEEE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On Jul 31, 2013, at 5:47 PM, zhu xiuming wrote: > my guess is=20 > -a always,exit -F arch=3DARCH -S mount -F auid>=3D500 -F = auid!=3D4294967295 -k export >=20 > refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf >=20 >=20 > On Wed, Jul 31, 2013 at 8:41 AM, Josh wrote: > I'd like to audit the insertion and removal of all USB devices but I'm = not sure where to start. >=20 > Do I need to be auditing a specific syscall, should it be a udev = configuration? >=20 > Any tips would be greatly appreciated. >=20 > Thanks, > -josh >=20 > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >=20 That appears to only cover the mounting of filesystems, not any usb = device insertion. Specifically I'd like to capture the insertion of a = USB keyboard, USB mouse, or USB thumb-drive. Thanks, -josh --Apple-Mail=_AC3D84A7-FC28-4846-B5E3-2CAD905BEEEE Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=iso-8859-1
On Jul 31, 2013, at 5:47 PM, zhu xiuming <xiumingzhu@gmail.com> wrote:

my guess is
-a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export

refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf


On Wed, Jul 31, 2013 at 8:41 AM, Josh <jokajak@gmail.com> wrote:
I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start.

Do I need to be auditing a specific syscall, should it be a udev configuration?

Any tips would be greatly appreciated.

Thanks,
-josh

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


That appears to only cover the mounting of filesystems, not any usb device insertion.  Specifically I'd like to capture the insertion of a USB keyboard, USB mouse, or USB thumb-drive.

Thanks,
-josh

--Apple-Mail=_AC3D84A7-FC28-4846-B5E3-2CAD905BEEEE-- --===============1288231224796095029== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1288231224796095029==--