Monitoring the connection of USB drives and logging file operations

Given:

• Custom PCs running linux (suse 11, mint 16);
• Users work remotely with terminals where USB drives are being forwarded;
• Users have no rights on personal computers, except for running rdesktop / freerdp.

Tasks:

• track the facts of connecting USB drives;
• track the facts of recording and changing files on USB drives.

Necessary retreat. I will not discuss the moral aspects of such surveillance of employees. There are corporate standards and corporate security requirements that employees are familiar with.

1. We track the fact of connecting the USB device

To perform this task, I used the udev property, which allows you to execute the script when an event occurs. Let's create a rule that will be responsible for connecting and disconnecting usb devices:

touch /etc/udev/rules.d/usb.rules 

Contents of the usb.rules file:
')

 ACTION=="add", SUBSYSTEM=="block", ENV{ID_BUS}=="usb|mmc|memstick|ieee1394", RUN+="/bin/bash /etc/udev/usb_on.sh %E{ID_SERIAL_SHORT} %E{ID_MODEL} %E{ID_VENDOR}" ACTION=="remove", SUBSYSTEM=="block", ENV{ID_BUS}=="usb|mmc|memstick|ieee1394", RUN+="/bin/bash /etc/udev/usb_off.sh %E{ID_SERIAL_SHORT} %E{ID_MODEL} %E{ID_VENDOR}" 

Where:

• ACTION - monitored action, add - connection of devices, remove - disconnection;
• ENV - list of monitored devices by type;
• RUN - executable action. In this case, depending on the event, the usb_on.sh and usb_off.sh scripts are run.

The usb_on.sh and usb_off.sh udev scripts transfer the following data:

• % E {ID_SERIAL_SHORT} - USB serial number;
• % E {ID_MODEL} - USB device model;
• % E {ID_VENDOR} is a USB device manufacturer.

Script usb_on.sh:

 /usr/bin/curl -d "host=$(hostname)&serial=$1&name=$2&vendor=$3&file=on&sub=true" --noproxy 10.0.40.16 http://10.0.40.16/usb/input.php 

Script usb_off.sh:

 /usr/bin/curl -d "host=$(hostname)&serial=$1&name=$2&vendor=$3&file=off&sub=true" --noproxy 10.0.40.16 http://10.0.40.16/usb/input.php 

These scripts perform the only action - they send an http POST request to the address 10.0.40.16/usb/input.php (the noproxy directive 10.0.40.16 is needed for the request to be sent past the proxy server). In this POST request, the following variables are passed:

• host - computer name result of the hostname command;
• serial - the serial number of the USB device (% E {ID_SERIAL_SHORT})
• name - USB device model (% E {ID_MODEL})
• vendor is a USB device manufacturer (% E {ID_VENDOR})
• file - action. on - connection, off - disconnection (file - the name of the field is chosen for the reason that information about the files on which any actions were taken) will also be entered here
• sub = true - imitation of pressing a button on a web form.

2.Server information collection

As can be seen from the usb_on.sh and usb_off.sh scripts being run, all information is transmitted to the php script, which consists of a simple web form and a request handler.

 <form action="" method="post" enctype="multipart/form-data"> <input type="submit" name="sub" value=""> <input type="text" name="host" maxlength=255 size=100> <input type="text" name="serial" maxlength=255 size=100> <input type="text" name="name" maxlength=255 size=100> <input type="text" name="vendor" maxlength=255 size=100> <textarea id="file" name="file"></textarea> </form> 

The handler does one thing — it adds the received data to the usb table of the MySQL database.

 mysql_query("INSERT INTO `usb` (`id`, `date`, `host`, `ip`, `serial`, `name`, `vendor`, `file`) VALUES (NULL, '$time', '$_POST[host]', '$_SERVER[REMOTE_ADDR]', '$_POST[serial]', '$_POST[name]', '$_POST[vendor]', '$_POST[file]')"); 

Table structure:

 CREATE TABLE IF NOT EXISTS `usb` ( `id` int(11) NOT NULL AUTO_INCREMENT, `date` bigint(20) NOT NULL, `ip` varchar(15) COLLATE utf8_bin NOT NULL, `host` varchar(50) COLLATE utf8_bin NOT NULL, `serial` varchar(100) COLLATE utf8_bin NOT NULL, `name` varchar(100) COLLATE utf8_bin NOT NULL, `vendor` varchar(100) COLLATE utf8_bin NOT NULL, `file` text COLLATE utf8_bin, PRIMARY KEY (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin AUTO_INCREMENT=1 ; 

3. Monitoring file operations

To perform the function of tracking operations that were performed on files on a connected medium, the following script was written:

 touch /var/tmp/usb.check #     check=1 while [ $check ] #   do if [ -f /var/tmp/usb.check ] #    then ACCESS='' #   CREATE='' MODIFY='' # ,    /media ,   , ,   ,      /var/tmp/usb.check ACCESS=`find /media -anewer /var/tmp/usb.check -type f` CREATE=`find /media -cnewer /var/tmp/usb.check -type f` MODIFY=`find /media -newer /var/tmp/usb.check -type f` if [ ! -z "$ACCESS" ] then ACCESS="access "$ACCESS #     /usr/bin/curl -d "host=$(hostname)&serial=$2&name=$3&vendor=$4&file=$ACCESS&sub=true" --noproxy 10.0.40.16 http://10.0.40.16/usb/input.php fi if [ ! -z "$CREATE" ] then CREATE="create "$CREATE /usr/bin/curl -d "host=$(hostname)&serial=$2&name=$3&vendor=$4&file=$CREATE&sub=true" --noproxy 10.0.40.16 http://10.0.40.16/usb/input.php fi if [ ! -z "$MODIFY" ] then MODIFY="modify "$MODIFY /usr/bin/curl -d "host=$(hostname)&serial=$2&name=$3&vendor=$4&file=$MODIFY&sub=true" --noproxy 10.0.40.16 http://10.0.40.16/usb/input.php fi fi touch /var/tmp/usb.check #   sleep 5 #  done 

This script is added to the autorun and runs in the background.
To get a sample of the stored information, a php script was written, which selects records from the database for the specified period and from selected PCs. Example output:

4. Distribution on PC

Since The PC from the network is located quite a lot, it was decided to do it in semi-automatic mode. Namely: a script was written that reads a list of PCs from a file for distribution and transfers necessary files to them. This is done using the sshpass (for automatic password entry) and scp (copy) utilities.
First, in / etc / ssh / ssh_config, we change the StrictHostKeyChecking directive:

 StrictHostKeyChecking no 

This is done to ensure that ssh keys are automatically added to the trusted list.

Directly the distribution script itself:

 #!/bin/bash while read line; do array[$index]="$line" index=$(($index+1)) done < hosts.conf for ((a=0; a < ${#array[*]}; a++)) do remote=`echo ${array[$a]} | awk '{ print $1 }'` echo "$remote begin"; /usr/bin/sshpass -p "root_password" /usr/bin/scp /home/user/usb_mon/usb.rules admin@$remote:/etc/udev/rules.d/usb.rules /usr/bin/sshpass -p "root_password" /usr/bin/scp /home/user/usb_mon/*.sh admin@$remote:/etc/udev/ /usr/bin/sshpass -p "root_password" /usr/bin/scp /home/user/usb_mon/boot.local admin@$remote:/etc/rc.d/boot.local echo "$remote end"; done 

Since Some PCs can be turned off, the script is run with the output of all information in the log and subsequent analysis:

 ./deploy.sh &> deploy.log & 

Ps. Future plans

What needs to be finalized:

• security of information transfer during POST request
• remove logging service files (for example, Thumbs.db)
• shadow copying of files over which any actions were performed.