Re: Auditing USB Question

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: lists_todd@mac.com
To: Josh <jokajak@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Auditing USB Question
Date: Wed, 31 Jul 2013 17:43:58 -0700	[thread overview]
Message-ID: <FEB581BE-19AA-4659-9893-77B741B87F22@mac.com> (raw)
In-Reply-To: <51F93037.5000202@gmail.com>

On Jul 31, 2013, at 8:41 AM, Josh <jokajak@gmail.com> wrote:

> I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start.
> 
> Do I need to be auditing a specific syscall, should it be a udev configuration?
> 
> Any tips would be greatly appreciated.

On my Mac (and BSM) I use syslog data to identify USB inserts, which includes the USB's manufacturer, model number, and serial number. Then I look at the mount command in the BSM data to see where it was mounted in the file system. Since I monitor all file reads and writes in BSM, I can also tell what files were read from or written to that USB thumb drive.

See if the Linux syslog messages contain the USB insert information.

Todd

     prev parent reply	other threads:[~2013-08-01  0:44 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-31 15:41 Auditing USB Question Josh
     [not found] ` <CAP6dAmdUHdrxx7Y5XS9Otd2FV9bB9wLGy3-98dTpX20P_CQ8NA@mail.gmail.com>
2013-08-01  0:15   ` Josh
2013-08-01 16:35     ` Steve Grubb
2013-08-01 18:04       ` Trevor Vaughan
2013-08-02 14:30         ` Josh
2013-08-01  0:43 ` lists_todd [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=FEB581BE-19AA-4659-9893-77B741B87F22@mac.com \
    --to=lists_todd@mac.com \
    --cc=jokajak@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox