Re: Auditing USB Question

Fri, 02 Aug 2013 07:34:11 -0700 

On 08/01/2013 02:04 PM, Trevor Vaughan wrote:

You don't have to mount media to pull off the data.

dd + one of any number of user space utils can extract data.

But, UDEV is probably the correct subsystem for this.

Trevor
On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <[email protected] <mailto:[email protected]>> wrote: 

    On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
    > That appears to only cover the mounting of filesystems, not any
    usb device
    > insertion.  Specifically I'd like to capture the insertion of a USB
    > keyboard, USB mouse, or USB thumb-drive.

    There is no support for that. Auditing is mostly shaped by common
    criteria
    requirements. CC takes the point of view that data import and
    export is of
    interest. In order to do that, you have to mount a file system.
    So, the
    solution is to watch for mounts. The act of inserting a device has
    not been
    considered security relevant because it also says that there is
    physical
    security of the data center and random people can't stick random
    devices into
    the computer

    That said...there is the real world. I could see this being
    interesting for
    very paranoid setups where a random device could be inserted and
    start fuzzing
    the kernel to inject code. But if we consider this, there is also
    bluetooth
    and firewire and who knows what other interface to worry about.

    It might be possible to find the udev code that gets executed and
    place a watch
    on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP
    event which
    ausearch/report will not impose and control over.

    -Steve

    --
    Linux-audit mailing list
    [email protected] <mailto:[email protected]>
    https://www.redhat.com/mailman/listinfo/linux-audit




--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
[email protected] <mailto:[email protected]>

-- This account not approved for unencrypted proprietary information --


--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
I decided to write a simple udev rule that is triggered when a USB device is added. From here I can use environment variables to choose which data gets sent to the audit system as a USER message. This will be enough for our purposes. 

For reverence, here is the udev rule:

ACTION=="add", SUBSYSTEM=="usb", RUN+="/usr/local/sbin/usb_device_add.sh"

Thanks!
-josh

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to