Aureport USB Usage

General support questions
Post Reply
Thraex
Posts: 51
Joined: 2019/05/14 19:50:28

Aureport USB Usage

Post by Thraex » 2020/02/05 16:22:13

I'm trying to get a concise audit report for only usb, cd, and printer usage but can't seem to figure it out.
aureport doesn't have a specific flag for only those events that I can find.

Grepping for usb-storage in /var/log/messages seems to be the best way but it doesn't show the user account that mounted it.
Anyone already done this or have any tips?

Thanks!

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Aureport USB Usage

Post by TrevorH » 2020/02/05 17:16:11

Not a direct answer to your question but you know that CentOS 7 and 8 ship something called usbguard?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Thraex
Posts: 51
Joined: 2019/05/14 19:50:28

Re: Aureport USB Usage

Post by Thraex » 2020/02/05 17:36:55

I had used it and most systems have usb-storage blacklisted in modprobe.d but this is mostly for cybersecurity weekly reports.

Need something that the security engineer can run or look at and find out immediately if usb/cd/printers were used in a given time frame and which user is responsible.

ron7000
Posts: 162
Joined: 2019/01/15 20:00:28

Re: Aureport USB Usage

Post by ron7000 » 2020/02/11 22:56:26

https://www.redhat.com/archives/linux-a ... 00049.html
I'm not sure where RH6 automounts things, but this works on my Ubuntu
10.04 machine (usb is automounted to /media/<device name>)

auditctl -a exit,always -F arch=b64 -S mount -S umount2 -F dir=/media -F success=1 -k usb

This generates logs like:

inserting:

type=SYSCALL msg=audit(1348240497.657:40): arch=c000003e syscall=165
success=yes exit=0 a0=20b6230 a1=20b62d0 a2=20b62f0
a3=ffffffffc0ed0006 items=2 ppid=1990 pid=5269 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mount" exe="/bin/mount" key="usb"
type=CWD msg=audit(1348240497.657:40): cwd="/"
type=PATH msg=audit(1348240497.657:40): item=0 name="/media/3930-6538"
inode=3932162 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1348240497.657:40): item=1 name=(null)
inode=1193948 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:11

pulling usb drive out:

type=SYSCALL msg=audit(1348240843.086:45): arch=c000003e syscall=166
success=yes exit=0 a0=974eb0 a1=2 a2=0 a3=7fff202c7230 items=1
ppid=1990 pid=6972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount"
exe="/bin/umount" key="usb"
type=CWD msg=audit(1348240843.086:45): cwd="/"
type=PATH msg=audit(1348240843.086:45): item=0 name="/media/3930-6538"
inode=1 dev=08:11 mode=040700 ouid=11532 ogid=5000 rdev=00:00
note the -k usb for the rule that u would put in /etc/audit/audit.rules.

The -k is a key that you can use as an identifier, so if u did -k HEYHEY then you can search audit.log for that unique bit of text.
Make the key whatever you prefer.

This rule will audit log all mounts

Code: Select all

-a always,exit -F arch=b64 -S mount,umount2 -k mount_umount
thus capturing a mounted usb storage device, but would not capture something like a plugged in usb device like kybd, mouse, usb-ethernet adapter, usb wifi device, etc.

I suspect one would have to write an audit rule to capture new block devices showing up such as /dev/sd?.
Really, what's printed in /var/log/messages seems ideal.

Thraex
Posts: 51
Joined: 2019/05/14 19:50:28

Re: Aureport USB Usage

Post by Thraex » 2020/02/12 01:19:48

I'd actually stumbled accross that topic and tried it out but ended up just grepping for usb in messages, didn't want to add an audit rule for multiple standalone systems. But thanks anyway!

ron7000
Posts: 162
Joined: 2019/01/15 20:00:28

Re: Aureport USB Usage

Post by ron7000 » 2020/02/12 21:36:40

Grepping for usb-storage in /var/log/messages seems to be the best way but it doesn't show the user account that mounted it.
problem with this is anyone can plug in a usb anything or insert a cd, linux has no way of knowing who did that.
It could be done when no one is logged in.
Or someone can be screen locked, and someone else can do it, have no real way of knowing.
Up until such time it is manually mounted to be accessed, which would take root, which would have taken some user account to begin with before doing su of sudo to root. Especially if automount or autorun or whatever is called in linux is turned on, then things would auto mount generally into the /media/run/ folder. Potentially framing a user?

fwiw this audit rule

Code: Select all

-w /dev -p war -key ABCD
will cause within /var/log/audit/audit.log to somewhat capture a usb stick plug in. There will be a bunch of events logged with the associated key "ABCD" and these are useless. But nearby there will be a line showing, for me anyway

Code: Select all

type=PATH   name="/dev/disk/by-id/usb-_Patriot_Memory_078C05B315FC -0:0"   ... blabla
that's the closest I was able to get with rhel/centos 7.6

Of interest might be /sys/kernel/debug/usb/devices
which will have a listing with Manufacturer and Serial number of all usb items connected. But it is real time. So if someone plugs in usb something you have to check this file before they unplug the usb whatever. Triggering off an audit system call when a usb device is plugged in, to run a secondary program to diff this /sys/kernel/debug/usb/devices file and capture that diff I think would be the best way to go. I think that would be a decent way of knowing what was plugged in, the when could be inferred from the audit log triggered on the system event seeing the usb device plugged in. How to do this, I don't know, maybe a kernel module?

Otherwise I think it would simply be a matter of falling back to an audit rule of capturing mount system events with something like these

Code: Select all

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k MOUNT1
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k MOUNT2
-a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k MOUNT3
-a always,exit -F path=/usr/bin/umount -F auid>=1000 -F auid!=4294967295 -k MOUNT4

User avatar
KernelOops
Posts: 428
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Aureport USB Usage

Post by KernelOops » 2020/02/13 05:32:52

Maybe you can use incrond, to monitor for changes under /sys/kernel/debug/usb/devices
--
R.I.P. CentOS :cry:
--

Thraex
Posts: 51
Joined: 2019/05/14 19:50:28

Re: Aureport USB Usage

Post by Thraex » 2020/02/13 13:26:46

Completely agree with your post ron and will most-likely add that audit rule to my kickstart for future audit reports.

As of now, the report will show which user ran su or sudo, usb-storage is blacklisted and file changes should show up in the report, and messages will show usb and printer usage so it should be enough of a trail to find out who changed the blacklist or mounted anything with the added benefit of me not having to explain how to add a line to audit.rules to people that barely know anything about linux :)

Post Reply