I am wondering how to use auditd and specifically ausearch, to pull out USB thumbdrive event insertions and removals on my Redhat Enterprise Linux 6 Server?
I can see very easily in the /var/log/messages file detailed logging when I insert a USB thumbdrive and when I then remove it. But I would really like to be able to use auditd’s ausearch utility to pull these types of events out. Any ideas on what my audit.rule should be, and the syntax for ausearch to extract it for reporting purposes?
When I do look at the audit.log to see what is being captured when I insert the USB stick, I see indications of comm=”usb_id”… But when I remove it, I do not see any usb text only the umount command.
Thanks, I am relatively new to ausearch so any suggestions would be appreciated!
David A. Diaz