Auditing USB Question
Josh
jokajak at gmail.com
Fri Aug 2 14:30:54 UTC 2013
On 08/01/2013 02:04 PM, Trevor Vaughan wrote:
> You don't have to mount media to pull off the data.
>
> dd + one of any number of user space utils can extract data.
>
> But, UDEV is probably the correct subsystem for this.
>
> Trevor
>
>
> On Thu, Aug 1, 2013 at 12:35 PM, Steve Grubb <sgrubb at redhat.com
> <mailto:sgrubb at redhat.com>> wrote:
>
> On Wednesday, July 31, 2013 08:15:21 PM Josh wrote:
> > That appears to only cover the mounting of filesystems, not any
> usb device
> > insertion. Specifically I'd like to capture the insertion of a USB
> > keyboard, USB mouse, or USB thumb-drive.
>
> There is no support for that. Auditing is mostly shaped by common
> criteria
> requirements. CC takes the point of view that data import and
> export is of
> interest. In order to do that, you have to mount a file system.
> So, the
> solution is to watch for mounts. The act of inserting a device has
> not been
> considered security relevant because it also says that there is
> physical
> security of the data center and random people can't stick random
> devices into
> the computer
>
> That said...there is the real world. I could see this being
> interesting for
> very paranoid setups where a random device could be inserted and
> start fuzzing
> the kernel to inject code. But if we consider this, there is also
> bluetooth
> and firewire and who knows what other interface to worry about.
>
> It might be possible to find the udev code that gets executed and
> place a watch
> on that. Or perhaps modify udev code to send a AUDIT_TRUSTED_APP
> event which
> ausearch/report will not impose and control over.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com <mailto:Linux-audit at redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaughan at onyxpoint.com <mailto:tvaughan at onyxpoint.com>
>
> -- This account not approved for unencrypted proprietary information --
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
I decided to write a simple udev rule that is triggered when a USB
device is added. From here I can use environment variables to choose
which data gets sent to the audit system as a USER message. This will be
enough for our purposes.
For reverence, here is the udev rule:
ACTION=="add", SUBSYSTEM=="usb", RUN+="/usr/local/sbin/usb_device_add.sh"
Thanks!
-josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130802/e4094b72/attachment.htm>
More information about the Linux-audit
mailing list