[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Capturing USB insertions and removal events with auditd



On Fri, Sep 21, 2012 at 8:05 AM, Diaz, DavidA (Plymouth)
<DavidA Diaz atk com> wrote:
> Hi:
>
>
>
> I am wondering how to use auditd and specifically ausearch, to pull out USB
> thumbdrive event insertions and removals on my Redhat Enterprise Linux 6
> Server?
>
>
>
> I can see very easily in the /var/log/messages file detailed logging when I
> insert a USB thumbdrive and when I then remove it.  But I would really like
> to be able to use auditd’s ausearch utility to pull these types of events
> out.  Any ideas on what my audit.rule should be, and the syntax for ausearch
> to extract it for reporting purposes?
>
>
>
> When I do look at the audit.log to see what is being captured when I insert
> the USB stick, I see indications of comm=”usb_id”… But when I remove it, I
> do not see any usb text only the umount command.
>
>
>
> Thanks, I am relatively new to ausearch so any suggestions would be
> appreciated!
>

I'm not sure where RH6 automounts things, but this works on my Ubuntu
10.04 machine (usb is automounted to /media/<device name>)

auditctl -a exit,always -F arch=b64 -S mount -S umount2 -F dir=/media
-F success=1 -k usb

This generates logs like:

inserting:

type=SYSCALL msg=audit(1348240497.657:40): arch=c000003e syscall=165
success=yes exit=0 a0=20b6230 a1=20b62d0 a2=20b62f0
a3=ffffffffc0ed0006 items=2 ppid=1990 pid=5269 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="mount" exe="/bin/mount" key="usb"
type=CWD msg=audit(1348240497.657:40):  cwd="/"
type=PATH msg=audit(1348240497.657:40): item=0 name="/media/3930-6538"
inode=3932162 dev=fc:01 mode=040700 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1348240497.657:40): item=1 name=(null)
inode=1193948 dev=00:05 mode=060660 ouid=0 ogid=6 rdev=08:11

pulling usb drive out:

type=SYSCALL msg=audit(1348240843.086:45): arch=c000003e syscall=166
success=yes exit=0 a0=974eb0 a1=2 a2=0 a3=7fff202c7230 items=1
ppid=1990 pid=6972 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="umount"
exe="/bin/umount" key="usb"
type=CWD msg=audit(1348240843.086:45):  cwd="/"
type=PATH msg=audit(1348240843.086:45): item=0 name="/media/3930-6538"
inode=1 dev=08:11 mode=040700 ouid=11532 ogid=5000 rdev=00:00


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]