You don't have to mount media to pull off the data. dd + one of any number of user space utils can extract data.
But, UDEV is probably the correct subsystem for this. Trevor On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <[email protected]> wrote: > On Wednesday, July 31, 2013 08:15:21 PM Josh wrote: > > That appears to only cover the mounting of filesystems, not any usb > device > > insertion. Specifically I'd like to capture the insertion of a USB > > keyboard, USB mouse, or USB thumb-drive. > > There is no support for that. Auditing is mostly shaped by common criteria > requirements. CC takes the point of view that data import and export is of > interest. In order to do that, you have to mount a file system. So, the > solution is to watch for mounts. The act of inserting a device has not been > considered security relevant because it also says that there is physical > security of the data center and random people can't stick random devices > into > the computer > > That said...there is the real world. I could see this being interesting for > very paranoid setups where a random device could be inserted and start > fuzzing > the kernel to inject code. But if we consider this, there is also bluetooth > and firewire and who knows what other interface to worry about. > > It might be possible to find the udev code that gets executed and place a > watch > on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event > which > ausearch/report will not impose and control over. > > -Steve > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
