On Jul 31, 2013, at 8:41 AM, Josh <[email protected]> wrote: > I'd like to audit the insertion and removal of all USB devices but I'm not > sure where to start. > > Do I need to be auditing a specific syscall, should it be a udev > configuration? > > Any tips would be greatly appreciated.
On my Mac (and BSM) I use syslog data to identify USB inserts, which includes the USB's manufacturer, model number, and serial number. Then I look at the mount command in the BSM data to see where it was mounted in the file system. Since I monitor all file reads and writes in BSM, I can also tell what files were read from or written to that USB thumb drive. See if the Linux syslog messages contain the USB insert information. Todd -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
