Aureport USB Usage
Aureport USB Usage
I'm trying to get a concise audit report for only usb, cd, and printer usage but can't seem to figure it out.
aureport doesn't have a specific flag for only those events that I can find.
Grepping for usb-storage in /var/log/messages seems to be the best way but it doesn't show the user account that mounted it.
Anyone already done this or have any tips?
Thanks!
aureport doesn't have a specific flag for only those events that I can find.
Grepping for usb-storage in /var/log/messages seems to be the best way but it doesn't show the user account that mounted it.
Anyone already done this or have any tips?
Thanks!
Re: Aureport USB Usage
Not a direct answer to your question but you know that CentOS 7 and 8 ship something called usbguard?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Aureport USB Usage
I had used it and most systems have usb-storage blacklisted in modprobe.d but this is mostly for cybersecurity weekly reports.
Need something that the security engineer can run or look at and find out immediately if usb/cd/printers were used in a given time frame and which user is responsible.
Need something that the security engineer can run or look at and find out immediately if usb/cd/printers were used in a given time frame and which user is responsible.
Re: Aureport USB Usage
https://www.redhat.com/archives/linux-a ... 00049.html
The -k is a key that you can use as an identifier, so if u did -k HEYHEY then you can search audit.log for that unique bit of text.
Make the key whatever you prefer.
This rule will audit log all mounts
thus capturing a mounted usb storage device, but would not capture something like a plugged in usb device like kybd, mouse, usb-ethernet adapter, usb wifi device, etc.
I suspect one would have to write an audit rule to capture new block devices showing up such as /dev/sd?.
Really, what's printed in /var/log/messages seems ideal.
note the -k usb for the rule that u would put in /etc/audit/audit.rules.I'm not sure where RH6 automounts things, but this works on my Ubuntu
10.04 machine (usb is automounted to /media/<device name>)
auditctl -a exit,always -F arch=b64 -S mount -S umount2 -F dir=/media -F success=1 -k usb
This generates logs like:
inserting:
type=SYSCALL msg=audit(1348240497.657:40): arch=c000003e syscall=165
success=yes exit=0 a0=20b6230 a1=20b62d0 a2=20b62f0
a3=ffffffffc0ed0006 items=2 ppid=1990 pid=5269 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mount" exe="/bin/mount" key="usb"
type=CWD msg=audit(1348240497.657:40): cwd="/"
type=PATH msg=audit(1348240497.657:40): item=0 name="/media/3930-6538"
inode=3932162 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1348240497.657:40): item=1 name=(null)
inode=1193948 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:11
pulling usb drive out:
type=SYSCALL msg=audit(1348240843.086:45): arch=c000003e syscall=166
success=yes exit=0 a0=974eb0 a1=2 a2=0 a3=7fff202c7230 items=1
ppid=1990 pid=6972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount"
exe="/bin/umount" key="usb"
type=CWD msg=audit(1348240843.086:45): cwd="/"
type=PATH msg=audit(1348240843.086:45): item=0 name="/media/3930-6538"
inode=1 dev=08:11 mode=040700 ouid=11532 ogid=5000 rdev=00:00
The -k is a key that you can use as an identifier, so if u did -k HEYHEY then you can search audit.log for that unique bit of text.
Make the key whatever you prefer.
This rule will audit log all mounts
Code: Select all
-a always,exit -F arch=b64 -S mount,umount2 -k mount_umount
I suspect one would have to write an audit rule to capture new block devices showing up such as /dev/sd?.
Really, what's printed in /var/log/messages seems ideal.
Re: Aureport USB Usage
I'd actually stumbled accross that topic and tried it out but ended up just grepping for usb in messages, didn't want to add an audit rule for multiple standalone systems. But thanks anyway!
Re: Aureport USB Usage
problem with this is anyone can plug in a usb anything or insert a cd, linux has no way of knowing who did that.Grepping for usb-storage in /var/log/messages seems to be the best way but it doesn't show the user account that mounted it.
It could be done when no one is logged in.
Or someone can be screen locked, and someone else can do it, have no real way of knowing.
Up until such time it is manually mounted to be accessed, which would take root, which would have taken some user account to begin with before doing su of sudo to root. Especially if automount or autorun or whatever is called in linux is turned on, then things would auto mount generally into the /media/run/ folder. Potentially framing a user?
fwiw this audit rule
Code: Select all
-w /dev -p war -key ABCD
Code: Select all
type=PATH name="/dev/disk/by-id/usb-_Patriot_Memory_078C05B315FC -0:0" ... blabla
Of interest might be /sys/kernel/debug/usb/devices
which will have a listing with Manufacturer and Serial number of all usb items connected. But it is real time. So if someone plugs in usb something you have to check this file before they unplug the usb whatever. Triggering off an audit system call when a usb device is plugged in, to run a secondary program to diff this /sys/kernel/debug/usb/devices file and capture that diff I think would be the best way to go. I think that would be a decent way of knowing what was plugged in, the when could be inferred from the audit log triggered on the system event seeing the usb device plugged in. How to do this, I don't know, maybe a kernel module?
Otherwise I think it would simply be a matter of falling back to an audit rule of capturing mount system events with something like these
Code: Select all
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k MOUNT1
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k MOUNT2
-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k MOUNT3
-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k MOUNT4
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Aureport USB Usage
Maybe you can use incrond, to monitor for changes under /sys/kernel/debug/usb/devices
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Aureport USB Usage
Completely agree with your post ron and will most-likely add that audit rule to my kickstart for future audit reports.
As of now, the report will show which user ran su or sudo, usb-storage is blacklisted and file changes should show up in the report, and messages will show usb and printer usage so it should be enough of a trail to find out who changed the blacklist or mounted anything with the added benefit of me not having to explain how to add a line to audit.rules to people that barely know anything about linux
As of now, the report will show which user ran su or sudo, usb-storage is blacklisted and file changes should show up in the report, and messages will show usb and printer usage so it should be enough of a trail to find out who changed the blacklist or mounted anything with the added benefit of me not having to explain how to add a line to audit.rules to people that barely know anything about linux