Auditing USB Question
Trevor Vaughan
tvaughan at onyxpoint.com
Thu Aug 1 18:04:25 UTC 2013
You don't have to mount media to pull off the data.
dd + one of any number of user space utils can extract data.
But, UDEV is probably the correct subsystem for this.
Trevor
On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> > That appears to only cover the mounting of filesystems, not any usb
> device
> > insertion. Specifically I'd like to capture the insertion of a USB
> > keyboard, USB mouse, or USB thumb-drive.
>
> There is no support for that. Auditing is mostly shaped by common criteria
> requirements. CC takes the point of view that data import and export is of
> interest. In order to do that, you have to mount a file system. So, the
> solution is to watch for mounts. The act of inserting a device has not been
> considered security relevant because it also says that there is physical
> security of the data center and random people can't stick random devices
> into
> the computer
>
> That said...there is the real world. I could see this being interesting for
> very paranoid setups where a random device could be inserted and start
> fuzzing
> the kernel to inject code. But if we consider this, there is also bluetooth
> and firewire and who knows what other interface to worry about.
>
> It might be possible to find the udev code that gets executed and place a
> watch
> on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP event
> which
> ausearch/report will not impose and control over.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaughan at onyxpoint.com
-- This account not approved for unencrypted proprietary information --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130801/8385340f/attachment.htm>
More information about the Linux-audit
mailing list