Monitoring USB drives in Linux using Wazuh
Monitoring USB drives on a Linux endpoint is essential for maintaining the security and integrity of the system. USB drives can serve as a potential entry point for malware and unauthorized data access. By monitoring these drives, administrators can detect and prevent the introduction of malicious software or unauthorized data transfers.
Additionally, monitoring USB drives helps in ensuring compliance with security policies and regulations, safeguarding sensitive data, and mitigating the risk of data breaches. It’s a proactive measure that enhances overall system security and protects against potential threats posed by external storage devices.
Out of the box, Wazuh provides a rule to monitor USB devices in Linux endpoints. However, the logs are limited and do not contain enough information about the event, as seen in the image below. Using udev rules, we can get richer logs about USB events.
In our previous blog post, we demonstrated how to use Wazuh to monitor and create filters for authorized and unauthorized USB drives in Windows endpoints. This blog post focuses on achieving the same result for Linux endpoints.
Infrastructure
We use the following infrastructure to demonstrate monitoring of USB drives on Linux endpoints with Wazuh:
- A pre-built, ready-to-use Wazuh OVA 4.7.0. Follow this guide to download the virtual machine (VM). This VM hosts the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard).
- An Ubuntu 22.04 LTS endpoint with Wazuh agent 4.7.0 installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the following installation guide.
Configuration
In this section, we configure the Ubuntu endpoint to utilize the udev utility to generate enhanced logs when a USB drive is connected to the endpoint. We also configure custom rules and a CDB list on the Wazuh server, enabling it to trigger an alert when an unauthorized USB device is connected to the Ubuntu endpoint.
Ubuntu endpoint
Linux devices come with the udev utility by default. udev is a device manager for the Linux kernel that dynamically manages device nodes in the /dev directory. It is responsible for recognizing and configuring devices as they are connected to or disconnected from the system. The udev utility makes it easier for users and applications to interact with hardware components.
We create a udev rule that detects when a USB device is connected to the monitored endpoint. The rule triggers a script that writes details about the event to a log file, which the Wazuh agent reads and forwards to the Wazuh server for analysis.
Perform the following steps to create the rule and configure the Wazuh agent for log collection.
1. Create a file named usb_detect.sh in the /var/ossec/bin/ directory:
# touch /var/ossec/bin/usb_detect.sh
2. Add the following script to the /var/ossec/bin/usb_detect.sh file:
#!/bin/bash
log_file="/var/log/usb_detect.json"
vendor="$ID_VENDOR"
model="$ID_MODEL"
serial="$ID_SERIAL_SHORT"
device="$DEVNAME"
devtype="$DEVTYPE"
hostname=$(hostname)
json="{\"hostname\":\"$hostname\",\"vendor\":\"$vendor\",\"model\":\"$model\",\"serial\":\"$serial\",\"device\":\"$device\",\"type\":\"$devtype\"}"
echo "$json" >> "$log_file"
This script allows the udev utility to collect detailed information about the USB device that has been attached to the endpoint. It also writes the log to the /var/log/usb_detect.json JSON file, which can easily be ingested by Wazuh.
3. Change the file permission to ensure the script cannot be executed by others:
# chmod 700 /var/ossec/bin/usb_detect.sh
4. Create a file usb-detect.rules in the /etc/udev/rules.d/ directory:
# touch /etc/udev/rules.d/usb-detect.rules
5. Add the following rule to the file:
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/var/ossec/bin/usb_detect.sh"
6. Run the command below to reload the udev rules:
# udevadm control --reload
7. Append the configuration below to the Wazuh agent /var/ossec/etc/ossec.conf file to collect the logs from the /var/log/usb_detect.json file:
<ossec_config>
<!-- Logcollector for udev USB detected Logs -->
<localfile>
<log_format>json</log_format>
<location>/var/log/usb_detect.json</location>
</localfile>
</ossec_config>
8. Restart the Wazuh agent to apply the changes:
# systemctl restart wazuh-agent
Wazuh server
On the Wazuh server, we create a CDB list of authorized USB devices. Additionally, we create a custom rule to trigger an alert when an unauthorized USB device is connected to the monitored endpoint.
Detecting USB drives
Create the following rule to detect when a USB drive is connected to a monitored endpoint:
1. Add the following rule to the /var/ossec/etc/rules/local_rules.xml file:
<!-- Rule for USB monitoring in Linux-->
<group name="Linux, usb,">
<rule id="111010" level="7">
<field name="serial">\w+</field>
<field name="type">usb_device</field>
<description>A PNP device $(vendor) $(model) was connected to $(hostname).</description>
</rule>
</group>
Where:
- Rule ID
111010detects when a USB drive is connected to a Linux endpoint.
2. Restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
Connecting a USB device to the monitored endpoint triggers the rule, as seen below.
In the image below, we can see more details about the USB device that is connected to the Ubuntu endpoint. We see information such as the serial number of the USB device, which is important for creating a whitelist of approved devices.
Filtering authorized and unauthorized USB drives
To detect when unauthorized USB drives are inserted into the monitored endpoint, we create a CDB (constant database) list. The list contains the serial number of authorized USB drives, which can be referenced by custom rules. Perform the following steps:
1. Create a CDB list, usb-drives, in the /var/ossec/etc/lists/ directory:
# touch /var/ossec/etc/lists/usb-drives
2. Add the extracted serial number followed by a colon(:) to the CDB list:
4C530001260524115055:
3. Add the configuration <list>etc/lists/usb-drives</list> to the <ruleset> block of the /var/ossec/etc/ossec.conf file:
<ruleset> <!-- Default ruleset --> <decoder_dir>ruleset/decoders</decoder_dir> <rule_dir>ruleset/rules</rule_dir> <rule_exclude>0215-policy_rules.xml</rule_exclude> <list>etc/lists/audit-keys</list> <list>etc/lists/amazon/aws-eventnames</list> <list>etc/lists/security-eventchannel</list> <!-- User-defined ruleset --> <decoder_dir>etc/decoders</decoder_dir> <rule_dir>etc/rules</rule_dir> <list>etc/lists/usb-drives</list> </ruleset>
4. Add the following rule to the previously created Linux, usb group in the /var/ossec/etc/rules/local_rules.xml file:
<!-- Rule for USB monitoring in Linux-->
<group name="Linux, usb,">
<rule id="111010" level="7">
<field name="serial">\w+</field>
<field name="type">usb_device</field>
<description>A PNP device $(vendor) $(model) was connected to $(hostname).</description>
</rule>
<rule id="111011" level="8">
<if_sid>111010</if_sid>
<list field="serial" lookup="not_match_key">etc/lists/usb-drives</list>
<description>Unauthorized PNP device $(vendor) $(model) was connected to $(hostname).</description>
</rule>
</group>
Where:
- Rule ID
111011performs a lookup on the CDB list to detect if the connected USB drive is unauthorized.
5. Restart the Wazuh manager to apply the changes:
# systemctl restart wazuh-manager
Testing the configuration
We test the configuration by adding an unauthorized USB device to the monitored Ubuntu endpoint. An unauthorized device does not have its serial number in the CDB list. This triggers the unauthorized USB detection rule, as seen below.
Conclusion
While USB devices are convenient, they can serve as an entry point for malware or for data exfiltration. This blog post shows how Wazuh can be used for effective monitoring of USB devices that are connected to monitored endpoints.
Wazuh is a free and open source SIEM and XDR solution. Wazuh can be deployed and managed on-premises, or on the Wazuh cloud. Check out our community for support and updates.
References