Monitor history of USB flash drives

monitoringusb-drive

I have to setup a monitoring system for our internet server, to monitor which USB Flash Drives (Pen Drives) are mounted and unmounted and when.(This is to avoid misuse, and to capture which unauthorized device is/was connected.)

Is there any method to monitor flash drive information such as : a) Serial Number, b) Make, c) Model, d) Capacity e) Label f) Time of mount/unmount etc., and store it, to view history about it?

I know there are number of commands to monitor currently mounted USB devices. Like lsusb,lshw. But how do I store that information.

Best Answer

Well, there is no ready-for-that software I know. But you can write your own script, which will be started when pendrive is inserted|removed from usb port. This script would be run by udev if you add this to /etc/udev/rules/99-local.rules:

ACTION=="add|remove", SUBSYSTEM=="block", KERNEL=="sd*", RUN+="/usr/local/bin/usb-add.sh"

and then in this script you will have following environment variables:

ACTION=add (or remove)
DEVLINKS='/dev/disk/by-id/usb-TDK_LoR_TF10_0703293903BE2444-0:0 /dev/disk/by-path/pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0'
DEVNAME=/dev/sdf
DEVPATH=/devices/pci0000:00/0000:00:16.2/usb7/7-1/7-1.1/7-1.1:1.0/host14/target14:0:0/14:0:0:0/block/sdf
DEVTYPE=disk ← this is important to check in script
ID_BUS=usb ← this is important to check in script
ID_FS_TYPE=
ID_INSTANCE=0:0
ID_MODEL=TF10 ← model
ID_MODEL_ENC='TF10\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ID_MODEL_ID=070a
ID_PART_TABLE_TYPE=dos
ID_PART_TABLE_UUID=686bc5da
ID_PATH=pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0
ID_PATH_TAG=pci-0000_00_16_2-usb-0_1_1_1_0-scsi-0_0_0_0
ID_REVISION=PMAP
ID_SERIAL=TDK_LoR_TF10_0703293903BE2444-0:0
ID_SERIAL_SHORT=0703293903BE2444 ← serial number
ID_TYPE=disk
ID_USB_DRIVER=usb-storage
ID_USB_INTERFACES=:080650:
ID_USB_INTERFACE_NUM=00
ID_VENDOR=TDK_LoR ← vendor
ID_VENDOR_ENC='TDK\x20LoR\x20'
ID_VENDOR_ID=0718

You can examine the pendrive with:

fdisk -l ${DEVNAME}

to get capacity and partition layout. And do various stuff like that. You can store information in file or in database. All is up to you. You can even deny access to this device if you like by sending SCSI STOP UNIT and removing the drive from system.

It is also important to check the ${ID_BUS} to examine only usb devices. It is important to check the ${DEVTYPE} because the script will also be called for every partition on usb device:

DEVLINKS='/dev/disk/by-id/usb-TDK_LoR_TF10_0703293903BE2444-0:0-part1 /dev/disk/by-label/BACKUPS /dev/disk/by-path/pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0-part1 /dev/disk/by-uuid/0FAA-E0EB'
DEVNAME=/dev/sdf1
DEVPATH=/devices/pci0000:00/0000:00:16.2/usb7/7-1/7-1.1/7-1.1:1.0/host18/target18:0:0/18:0:0:0/block/sdf/sdf1
DEVTYPE=partition
ID_BUS=usb
ID_FS_LABEL=BACKUPS ← filesystem label
ID_FS_LABEL_ENC=BACKUPS
ID_FS_TYPE=vfat
ID_FS_USAGE=filesystem
ID_FS_UUID=0FAA-E0EB
ID_FS_UUID_ENC=0FAA-E0EB
ID_FS_VERSION=FAT32
ID_INSTANCE=0:0
ID_MODEL=TF10
ID_MODEL_ENC='TF10\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ID_MODEL_ID=070a
ID_PART_ENTRY_DISK=8:80
ID_PART_ENTRY_NUMBER=1
ID_PART_ENTRY_OFFSET=2048
ID_PART_ENTRY_SCHEME=dos
ID_PART_ENTRY_SIZE=15104000 ← size ;)
ID_PART_ENTRY_TYPE=0xc
ID_PART_ENTRY_UUID=686bc5da-01
ID_PART_TABLE_TYPE=dos
ID_PART_TABLE_UUID=686bc5da
ID_PATH=pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0
ID_PATH_TAG=pci-0000_00_16_2-usb-0_1_1_1_0-scsi-0_0_0_0
ID_REVISION=PMAP
ID_SERIAL=TDK_LoR_TF10_0703293903BE2444-0:0
ID_SERIAL_SHORT=0703293903BE2444
ID_TYPE=disk
ID_USB_DRIVER=usb-storage
ID_USB_INTERFACES=:080650:
ID_USB_INTERFACE_NUM=00
ID_VENDOR=TDK_LoR
ID_VENDOR_ENC='TDK\x20LoR\x20'
ID_VENDOR_ID=0718

Maybe it is a good idea to limit access when ${DEVTYPE}=disk but store information about all partitions – ${DEVTYPE}=partition.

HTH, Cheers

Related Question