On Fri, Sep 21, 2012 at 8:05 AM, Diaz, DavidA (Plymouth) <[email protected]> wrote: > Hi: > > > > I am wondering how to use auditd and specifically ausearch, to pull out USB > thumbdrive event insertions and removals on my Redhat Enterprise Linux 6 > Server? > > > > I can see very easily in the /var/log/messages file detailed logging when I > insert a USB thumbdrive and when I then remove it. But I would really like > to be able to use auditd’s ausearch utility to pull these types of events > out. Any ideas on what my audit.rule should be, and the syntax for ausearch > to extract it for reporting purposes? > > > > When I do look at the audit.log to see what is being captured when I insert > the USB stick, I see indications of comm=”usb_id”… But when I remove it, I > do not see any usb text only the umount command. > > > > Thanks, I am relatively new to ausearch so any suggestions would be > appreciated! >
I'm not sure where RH6 automounts things, but this works on my Ubuntu 10.04 machine (usb is automounted to /media/<device name>) auditctl -a exit,always -F arch=b64 -S mount -S umount2 -F dir=/media -F success=1 -k usb This generates logs like: inserting: type=SYSCALL msg=audit(1348240497.657:40): arch=c000003e syscall=165 success=yes exit=0 a0=20b6230 a1=20b62d0 a2=20b62f0 a3=ffffffffc0ed0006 items=2 ppid=1990 pid=5269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" key="usb" type=CWD msg=audit(1348240497.657:40): cwd="/" type=PATH msg=audit(1348240497.657:40): item=0 name="/media/3930-6538" inode=3932162 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1348240497.657:40): item=1 name=(null) inode=1193948 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:11 pulling usb drive out: type=SYSCALL msg=audit(1348240843.086:45): arch=c000003e syscall=166 success=yes exit=0 a0=974eb0 a1=2 a2=0 a3=7fff202c7230 items=1 ppid=1990 pid=6972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount" exe="/bin/umount" key="usb" type=CWD msg=audit(1348240843.086:45): cwd="/" type=PATH msg=audit(1348240843.086:45): item=0 name="/media/3930-6538" inode=1 dev=08:11 mode=040700 ouid=11532 ogid=5000 rdev=00:00 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
