Auditing USB Question
lists_todd at mac.com
lists_todd at mac.com
Thu Aug 1 00:43:58 UTC 2013
On Jul 31, 2013, at 8:41 AM, Josh <jokajak at gmail.com> wrote:
> I'd like to audit the insertion and removal of all USB devices but I'm not sure where to start.
>
> Do I need to be auditing a specific syscall, should it be a udev configuration?
>
> Any tips would be greatly appreciated.
On my Mac (and BSM) I use syslog data to identify USB inserts, which includes the USB's manufacturer, model number, and serial number. Then I look at the mount command in the BSM data to see where it was mounted in the file system. Since I monitor all file reads and writes in BSM, I can also tell what files were read from or written to that USB thumb drive.
See if the Linux syslog messages contain the USB insert information.
Todd
More information about the Linux-audit
mailing list