auditing removable media
Burn Alting
burn at swtf.dyndns.org
Wed Jan 22 09:27:52 UTC 2020
Richard,
On the surface, it appears to have value, but as you say it would need to be
extended to other traditional, and non-traditional, removable media. Further, the
initial appeal in having the capability directly within the kernel was to make it a
little more difficult to subvert, centralise auditing policy/monitoring and, if
frame-worked appropriately, easily extensible to other than USB media types (which
was the basis for the Proof of Concept developed by RedHat back in 2016).
I have not used USBGuard myself, so will do some experimentation and report back.
Regards
On Tue, 2020-01-21 at 15:16 -0500, Richard Guy Briggs wrote:
> Hi Burn, and all,
> I've been aware of this issue for a while now, but wasn't directlyworking on
> it. Now that I'm taking a closer look at this issue, I amwondering how much
> USBGuard changes the equation?
> https://www.kernel.org/doc/Documentation/usb/authorization.txt
> https://usbguard.github.io/
> https://github.com/USBGuard/usbguard
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard
>
> It has tools to generate baseline lists of devices, but this is only
> forusb. Other interfaces would need to be appropriately instrumented.
> - RGB
> --Richard Guy Briggs <rgb at redhat.com>Sr. S/W Engineer, Kernel Security, Base
> Operating SystemsRemote, Ottawa, Red Hat CanadaIRC: rgb, SunRaycerVoice:
> +1.647.777.2635, Internal: (81) 32635
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200122/827b425a/attachment.htm>
More information about the Linux-audit
mailing list