On Jul 31, 2013, at 5:47 PM, zhu xiuming <[email protected]> wrote:
> my guess is > -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k > export > > refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf > > > On Wed, Jul 31, 2013 at 8:41 AM, Josh <[email protected]> wrote: > I'd like to audit the insertion and removal of all USB devices but I'm not > sure where to start. > > Do I need to be auditing a specific syscall, should it be a udev > configuration? > > Any tips would be greatly appreciated. > > Thanks, > -josh > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > That appears to only cover the mounting of filesystems, not any usb device insertion. Specifically I'd like to capture the insertion of a USB keyboard, USB mouse, or USB thumb-drive. Thanks, -josh
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
