Auditing USB Question
Josh
jokajak at gmail.com
Thu Aug 1 00:15:21 UTC 2013
On Jul 31, 2013, at 5:47 PM, zhu xiuming <xiumingzhu at gmail.com> wrote:
> my guess is
> -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export
>
> refer to http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
>
>
> On Wed, Jul 31, 2013 at 8:41 AM, Josh <jokajak at gmail.com> wrote:
> I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start.
>
> Do I need to be auditing a specific syscall, should it be a udev configuration?
>
> Any tips would be greatly appreciated.
>
> Thanks,
> -josh
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
That appears to only cover the mounting of filesystems, not any usb device insertion. Specifically I'd like to capture the insertion of a USB keyboard, USB mouse, or USB thumb-drive.
Thanks,
-josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130731/9c14a51b/attachment.htm>
More information about the Linux-audit
mailing list