From mboxrd@z Thu Jan  1 00:00:00 1970
From: lists_todd@mac.com
Subject: Re: Auditing USB Question
Date: Wed, 31 Jul 2013 17:43:58 -0700
Message-ID: <FEB581BE-19AA-4659-9893-77B741B87F22@mac.com>
References: <51F93037.5000202@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r710iK5h005641
	for <linux-audit@redhat.com>; Wed, 31 Jul 2013 20:44:20 -0400
Received: from nk11p08mm-asmtp002.mac.com (nk11p08mm-asmtpout002.mac.com
	[17.158.58.247])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r710iJtv027639
	for <linux-audit@redhat.com>; Wed, 31 Jul 2013 20:44:19 -0400
Received: from bigmac.lab.netsq.com ([168.150.221.2])
	by nk11p08mm-asmtp002.mac.com
	(Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit
	(built Jul
	13 2012)) with ESMTPSA id <0MQT00DYIU1B7F80@nk11p08mm-asmtp002.mac.com>
	for linux-audit@redhat.com; Thu, 01 Aug 2013 00:44:00 +0000 (GMT)
In-reply-to: <51F93037.5000202@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Josh <jokajak@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


On Jul 31, 2013, at 8:41 AM, Josh <jokajak@gmail.com> wrote:

> I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start.
> 
> Do I need to be auditing a specific syscall, should it be a udev configuration?
> 
> Any tips would be greatly appreciated.

On my Mac (and BSM) I use syslog data to identify USB inserts, which includes the USB's manufacturer, model number, and serial number. Then I look at the mount command in the BSM data to see where it was mounted in the file system. Since I monitor all file reads and writes in BSM, I can also tell what files were read from or written to that USB thumb drive.

See if the Linux syslog messages contain the USB insert information.

Todd