Auditing USB Question

[Trevor Vaughan]

You don't have to mount media to pull off the data.

dd + one of any number of user space utils can extract data.

But, UDEV is probably the correct subsystem for this.

Trevor


On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> > That appears to only cover the mounting of filesystems, not any usb
> device
> > insertion.  Specifically I'd like to capture the insertion of a USB
> > keyboard, USB mouse, or USB thumb-drive.
>
> There is no support for that. Auditing is mostly shaped by common criteria
> requirements. CC takes the point of view that data import and export is of
> interest. In order to do that, you have to mount a file system. So, the
> solution is to watch for mounts. The act of inserting a device has not been
> considered security relevant because it also says that there is physical
> security of the data center and random people can't stick random devices
> into
> the computer
>
> That said...there is the real world. I could see this being interesting for
> very paranoid setups where a random device could be inserted and start
> fuzzing
> the kernel to inject code. But if we consider this, there is also bluetooth
> and firewire and who knows what other interface to worry about.
>
> It might be possible to find the udev code that gets executed and place a
> watch
> on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event
> which
> ausearch/report will not impose and control over.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>



-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan at onyxpoint.com

-- This account not approved for unencrypted proprietary information --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130801/8385340f/attachment.htm>