Monitoring USB Drives in Linux Using Wazuh#

Introduction#

USB drives remain one of the most common vectors for malware introduction and data exfiltration in Linux environments. While convenient for legitimate data transfer, these devices can pose significant security risks if left unmonitored. Organizations need comprehensive visibility into USB device usage to maintain security compliance and prevent data breaches.

Wazuh provides powerful capabilities for monitoring USB activities on Linux endpoints:

🔍 Real-time Detection: Track USB device connections and disconnections
📊 Enhanced Logging: Capture detailed device information using udev rules
🚨 Unauthorized Device Alerts: Identify non-approved USB devices
🛡️ Policy Enforcement: Implement USB security policies across endpoints
📈 Compliance Support: Maintain audit trails for regulatory requirements

Understanding Linux USB Architecture#

How Linux Handles USB Devices#

1
flowchart TB
2
    subgraph "USB Device Connection Flow"
3
        U1[USB Device Connected] --> K1[Linux Kernel]
4
        K1 --> U2[udev Daemon]
5
        U2 --> U3[Device Node Creation]
6
        U3 --> U4[/dev/bus/usb/]
7

8
        U2 --> R1[udev Rules]
9
        R1 --> S1[Custom Scripts]
10
        S1 --> L1[Log Generation]
11
    end
12

13
    subgraph "Wazuh Integration"
14
        L1 --> W1[Wazuh Agent]
15
        W1 --> W2[Log Collection]
16
        W2 --> W3[Wazuh Server]
17
        W3 --> W4[Alert Generation]
18
    end
19

20
    style U2 fill:#4dabf7
21
    style S1 fill:#51cf66
22
    style W3 fill:#ffd43b

Default vs Enhanced Monitoring#

While Wazuh provides out-of-the-box USB monitoring, the default logs are limited:

1
# Default USB detection (limited information)
2
2023-12-13T10:15:30.123Z kernel: usb 2-1: new high-speed USB device

With udev rules, we can capture comprehensive device information:

1
{
2
  "hostname": "ubuntu-server",
3
  "vendor": "SanDisk",
4
  "model": "Ultra",
5
  "serial": "4C530001260524115055",
6
  "device": "/dev/sdb",
7
  "type": "usb_device"
8
}

Infrastructure Requirements#

Wazuh Server: Pre-built OVA 4.7.0 with all components
Linux Endpoint: Ubuntu 22.04 LTS with Wazuh agent 4.7.0
Prerequisites:
- udev utility (included by default in Linux)
- Root access for configuration
- Network connectivity to Wazuh server

Implementation Guide#

Phase 1: Configure udev Rules on Linux Endpoint#

Create USB Detection Script#

Create /var/ossec/bin/usb_detect.sh:

1
#!/bin/bash
2
# USB detection script for Wazuh
3

4
log_file="/var/log/usb_detect.json"
5
vendor="$ID_VENDOR"
6
model="$ID_MODEL"
7
serial="$ID_SERIAL_SHORT"
8
device="$DEVNAME"
9
devtype="$DEVTYPE"
10
hostname=$(hostname)
11

12
# Create JSON log entry
13
json="{\"hostname\":\"$hostname\",\"vendor\":\"$vendor\",\"model\":\"$model\",\"serial\":\"$serial\",\"device\":\"$device\",\"type\":\"$devtype\"}"
14

15
# Append to log file
16
echo "$json" >> "$log_file"

Set proper permissions:

1
chmod 700 /var/ossec/bin/usb_detect.sh

Create udev Rule#

Create /etc/udev/rules.d/usb-detect.rules:

1
# Trigger script when USB device is added
2
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/var/ossec/bin/usb_detect.sh"

Reload udev rules:

1
udevadm control --reload

Configure Wazuh Agent#

Add to /var/ossec/etc/ossec.conf:

1
<ossec_config>
2
  <!-- Logcollector for udev USB detected Logs -->
3
  <localfile>
4
    <log_format>json</log_format>
5
    <location>/var/log/usb_detect.json</location>
6
  </localfile>
7
</ossec_config>

Restart the agent:

1
systemctl restart wazuh-agent

Phase 2: Configure Wazuh Server#

Basic USB Detection Rules#

Add to /var/ossec/etc/rules/local_rules.xml:

1
<!-- Rule for USB monitoring in Linux-->
2
<group name="Linux,usb,">
3
  <rule id="111010" level="7">
4
    <field name="serial">\w+</field>
5
    <field name="type">usb_device</field>
6
    <description>A PNP device $(vendor) $(model) was connected to $(hostname).</description>
7
  </rule>
8
</group>

Create CDB List for Authorized Devices#

Create /var/ossec/etc/lists/usb-drives:

1
4C530001260524115055:
2
8C5300012605241ABC12:
3
1D530001260524115DEF:

Update /var/ossec/etc/ossec.conf:

1
<ruleset>
2
  <!-- Default ruleset -->
3
  <decoder_dir>ruleset/decoders</decoder_dir>
4
  <rule_dir>ruleset/rules</rule_dir>
5
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
6
  <list>etc/lists/audit-keys</list>
7
  <list>etc/lists/amazon/aws-eventnames</list>
8
  <list>etc/lists/security-eventchannel</list>
9

10
  <!-- User-defined ruleset -->
11
  <decoder_dir>etc/decoders</decoder_dir>
12
  <rule_dir>etc/rules</rule_dir>
13
  <list>etc/lists/usb-drives</list>
14
</ruleset>

Enhanced Detection Rules#

Update /var/ossec/etc/rules/local_rules.xml:

1
<!-- Rule for USB monitoring in Linux-->
2
<group name="Linux,usb,">
3
  <rule id="111010" level="7">
4
    <field name="serial">\w+</field>
5
    <field name="type">usb_device</field>
6
    <description>A PNP device $(vendor) $(model) was connected to $(hostname).</description>
7
  </rule>
8

9
  <rule id="111011" level="8">
10
    <if_sid>111010</if_sid>
11
    <list field="serial" lookup="not_match_key">etc/lists/usb-drives</list>
12
    <description>Unauthorized PNP device $(vendor) $(model) was connected to $(hostname).</description>
13
  </rule>
14
</group>

Restart Wazuh manager:

1
systemctl restart wazuh-manager

Advanced Configuration#

Enhanced udev Script with More Details#

Create an enhanced /var/ossec/bin/usb_detect_advanced.sh:

1
#!/bin/bash
2
# Enhanced USB detection script
3

4
log_file="/var/log/usb_detect.json"
5
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%S.%3NZ")
6

7
# Extract comprehensive device information
8
vendor="$ID_VENDOR"
9
vendor_id="$ID_VENDOR_ID"
10
model="$ID_MODEL"
11
model_id="$ID_MODEL_ID"
12
serial="$ID_SERIAL_SHORT"
13
device="$DEVNAME"
14
devtype="$DEVTYPE"
15
bus="$ID_BUS"
16
usb_version="$ID_USB_INTERFACES"
17
path="$DEVPATH"
18
hostname=$(hostname)
19
user=$(who | grep -E "(:0|tty7)" | cut -d' ' -f1 | head -n1)
20

21
# Check if device is mass storage
22
is_storage="false"
23
if [[ "$ID_USB_INTERFACES" == *":080650:"* ]]; then
24
    is_storage="true"
25
fi
26

27
# Get device capacity if it's storage
28
capacity="unknown"
29
if [[ "$is_storage" == "true" ]] && [[ -b "$device" ]]; then
30
    capacity=$(lsblk -b "$device" 2>/dev/null | grep -E "^${device##*/}" | awk '{print $4}')
31
fi
32

33
# Create detailed JSON log
34
json=$(cat <<EOF
35
{
36
  "timestamp": "$timestamp",
37
  "hostname": "$hostname",
38
  "user": "$user",
39
  "vendor": "$vendor",
40
  "vendor_id": "$vendor_id",
41
  "model": "$model",
42
  "model_id": "$model_id",
43
  "serial": "$serial",
44
  "device": "$device",
45
  "type": "$devtype",
46
  "bus": "$bus",
47
  "path": "$path",
48
  "is_storage": $is_storage,
49
  "capacity_bytes": "$capacity",
50
  "interfaces": "$usb_version"
51
}
52
EOF
53
)
54

55
echo "$json" >> "$log_file"
56

57
# Optional: Send notification to system log
58
logger -t USB_MONITOR "USB device connected: $vendor $model (Serial: $serial)"

Monitoring USB Removal#

Create /etc/udev/rules.d/usb-remove.rules:

1
# Monitor USB device removal
2
ACTION=="remove", SUBSYSTEMS=="usb", RUN+="/var/ossec/bin/usb_remove.sh"

Create /var/ossec/bin/usb_remove.sh:

1
#!/bin/bash
2
log_file="/var/log/usb_detect.json"
3
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%S.%3NZ")
4
hostname=$(hostname)
5

6
json="{\"timestamp\":\"$timestamp\",\"hostname\":\"$hostname\",\"event\":\"usb_removed\",\"device\":\"$DEVNAME\",\"vendor\":\"$ID_VENDOR\",\"model\":\"$ID_MODEL\",\"serial\":\"$ID_SERIAL_SHORT\"}"
7
echo "$json" >> "$log_file"

Advanced Detection Rules#

1
<group name="Linux,usb,">
2
  <!-- Basic USB detection -->
3
  <rule id="111010" level="7">
4
    <field name="serial">\w+</field>
5
    <field name="type">usb_device</field>
6
    <description>USB device $(vendor) $(model) connected to $(hostname)</description>
7
  </rule>
8

9
  <!-- Unauthorized device -->
10
  <rule id="111011" level="8">
11
    <if_sid>111010</if_sid>
12
    <list field="serial" lookup="not_match_key">etc/lists/usb-drives</list>
13
    <description>Unauthorized USB device $(vendor) $(model) connected to $(hostname)</description>
14
  </rule>
15

16
  <!-- Mass storage device -->
17
  <rule id="111012" level="8">
18
    <if_sid>111010</if_sid>
19
    <field name="is_storage">true</field>
20
    <description>USB mass storage device $(vendor) $(model) connected to $(hostname)</description>
21
  </rule>
22

23
  <!-- Large capacity device -->
24
  <rule id="111013" level="9">
25
    <if_sid>111012</if_sid>
26
    <regex>capacity_bytes":\s*"(\d{11,})"</regex>
27
    <description>Large USB storage device (>10GB) connected to $(hostname)</description>
28
  </rule>
29

30
  <!-- USB device removal -->
31
  <rule id="111014" level="5">
32
    <field name="event">usb_removed</field>
33
    <description>USB device $(vendor) $(model) removed from $(hostname)</description>
34
  </rule>
35

36
  <!-- Multiple USB connections -->
37
  <rule id="111015" level="9" frequency="3" timeframe="60">
38
    <if_sid>111010</if_sid>
39
    <description>Multiple USB devices connected to $(hostname) in short time</description>
40
  </rule>
41
</group>

Monitoring and Response#

Real-time Monitoring Script#

Create /usr/local/bin/usb_monitor.sh:

1
#!/bin/bash
2
# Real-time USB monitoring script
3

4
echo "=== USB Device Monitor ==="
5
echo "Monitoring USB events on $(hostname)..."
6
echo ""
7

8
# Monitor udev events
9
udevadm monitor --udev --subsystem-match=usb | while read -r line; do
10
    if [[ "$line" == *"add"* ]] || [[ "$line" == *"remove"* ]]; then
11
        timestamp=$(date "+%Y-%m-%d %H:%M:%S")
12
        echo "[$timestamp] $line"
13

14
        # Get current USB devices
15
        echo "Current USB devices:"
16
        lsusb | grep -v "hub"
17
        echo "---"
18
    fi
19
done

Automated Response Script#

Create /var/ossec/active-response/bin/usb-block.sh:

1
#!/bin/bash
2
# Block unauthorized USB devices
3

4
ACTION=$1
5
USER=$2
6
IP=$3
7
ALERTID=$4
8
RULEID=$5
9

10
if [ "$ACTION" = "add" ] && [ "$RULEID" = "111011" ]; then
11
    # Log the action
12
    echo "$(date) - Blocking USB access due to unauthorized device" >> /var/log/usb_block.log
13

14
    # Create udev rule to block USB storage
15
    cat > /etc/udev/rules.d/99-usb-block.rules << EOF
16
# Block USB storage devices
17
SUBSYSTEMS=="usb", DRIVERS=="usb-storage", ATTR{authorized}="0"
18
EOF
19

20
    # Reload udev rules
21
    udevadm control --reload-rules
22

23
    # Eject currently connected unauthorized devices
24
    for device in $(ls /dev/disk/by-id/ | grep -i usb); do
25
        udisksctl unmount -b "/dev/disk/by-id/$device" 2>/dev/null
26
        udisksctl power-off -b "/dev/disk/by-id/$device" 2>/dev/null
27
    done
28
fi
29

30
if [ "$ACTION" = "delete" ]; then
31
    # Remove blocking rule
32
    rm -f /etc/udev/rules.d/99-usb-block.rules
33
    udevadm control --reload-rules
34
    echo "$(date) - USB access restored" >> /var/log/usb_block.log
35
fi

Troubleshooting#

Common Issues and Solutions#

Issue 1: udev Rules Not Triggering#

1
# Test udev rules
2
udevadm test /sys/class/block/sdb
3

4
# Monitor udev events
5
udevadm monitor --environment --udev
6

7
# Check rule syntax
8
udevadm control --reload-rules && udevadm trigger

Issue 2: JSON Parsing Errors#

1
# Validate JSON format
2
tail -n 1 /var/log/usb_detect.json | jq .
3

4
# Fix permissions
5
chmod 640 /var/log/usb_detect.json
6
chown root:ossec /var/log/usb_detect.json

Issue 3: Missing Device Information#

1
# Get complete device information
2
udevadm info --query=all --name=/dev/sdb
3

4
# List environment variables available to udev
5
udevadm info --export-db | grep -A10 "P: /devices/.*usb"

Debug Mode for udev Rules#

Create /etc/udev/rules.d/00-usb-debug.rules:

1
# Debug USB events
2
ACTION=="add|remove", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'echo USB_DEBUG: $env{ACTION} $env{DEVPATH} $env{ID_VENDOR} $env{ID_MODEL} >> /tmp/usb_debug.log'"

Best Practices#

1. USB Security Policy Implementation#

1
USB Security Policy:
2
  Allowed Devices:
3
    - Corporate-issued USB drives only
4
    - Devices must be encrypted
5
    - Serial numbers registered in CDB
6

7
  Monitoring Requirements:
8
    - All USB connections logged
9
    - Unauthorized devices blocked
10
    - Alerts sent to security team
11

12
  Response Procedures:
13
    - Immediate blocking of unauthorized devices
14
    - Investigation of all violations
15
    - User education on first offense

2. Regular Audits#

Create /usr/local/bin/usb_audit.sh:

1
#!/bin/bash
2
# USB device audit script
3

4
echo "=== USB Device Audit Report ==="
5
echo "Generated: $(date)"
6
echo ""
7

8
# Check authorized devices
9
echo "Authorized USB Devices:"
10
cat /var/ossec/etc/lists/usb-drives | grep -v "^#" | grep -v "^$"
11
echo ""
12

13
# Recent USB activity
14
echo "Recent USB Activity (Last 24 hours):"
15
grep "$(date -d '1 day ago' +%Y-%m-%d)" /var/log/usb_detect.json | \
16
    jq -r '.timestamp + " - " + .vendor + " " + .model + " (Serial: " + .serial + ")"'
17
echo ""
18

19
# Unauthorized attempts
20
echo "Unauthorized USB Attempts:"
21
grep "Unauthorized" /var/ossec/logs/alerts/alerts.json | \
22
    jq -r 'select(.rule.id == "111011") | .timestamp + " - " + .data.vendor + " " + .data.model'

3. Integration with Asset Management#

1
#!/usr/bin/env python3
2
# sync_usb_whitelist.py - Sync USB whitelist with asset management
3

4
import json
5
import requests
6

7
# Get authorized devices from asset management system
8
def get_authorized_devices():
9
    response = requests.get("https://assets.company.com/api/usb-devices")
10
    return response.json()
11

12
# Update Wazuh CDB list
13
def update_cdb_list(devices):
14
    with open("/var/ossec/etc/lists/usb-drives", "w") as f:
15
        f.write("# Auto-generated USB whitelist\n")
16
        f.write("# Last updated: " + datetime.now().isoformat() + "\n")
17
        for device in devices:
18
            f.write(f"{device['serial']}:\n")
19

20
    # Restart Wazuh manager
21
    os.system("systemctl restart wazuh-manager")
22

23
if __name__ == "__main__":
24
    devices = get_authorized_devices()
25
    update_cdb_list(devices)

Performance Optimization#

1. Log Rotation#

Configure logrotate for USB logs:

1
/var/log/usb_detect.json {
2
    daily
3
    rotate 30
4
    compress
5
    delaycompress
6
    missingok
7
    notifempty
8
    create 640 root ossec
9
    postrotate
10
        # Signal Wazuh to reopen log file
11
        /var/ossec/bin/wazuh-control reload
12
    endscript
13
}

2. Efficient udev Rules#

1
# Optimized udev rules with conditions
2
# Only monitor removable USB storage devices
3
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{removable}=="1", \
4
    ENV{ID_USB_DRIVER}=="usb-storage", \
5
    RUN+="/var/ossec/bin/usb_detect.sh"

Use Cases#

1. Data Loss Prevention#

1
<rule id="111016" level="10">
2
  <if_sid>111012</if_sid>
3
  <time>8:00 pm - 6:00 am</time>
4
  <description>USB storage connected after hours on $(hostname)</description>
5
  <options>alert_by_email</options>
6
</rule>

2. Compliance Monitoring#

1
#!/bin/bash
2
# Generate PCI DSS compliance report for USB usage
3

4
echo "PCI DSS USB Compliance Report"
5
echo "============================="
6
echo ""
7
echo "Requirement 2.3 - Encrypt all non-console administrative access"
8
echo "USB devices with encryption capability:"
9
grep "LUKS\\|BitLocker\\|FileVault" /var/log/usb_detect.json | wc -l
10
echo ""
11
echo "Requirement 9.7 - Maintain strict control over storage media"
12
echo "Unauthorized USB attempts in last 30 days:"
13
grep -c "111011" /var/ossec/logs/alerts/alerts.json

3. Forensic Investigation#

1
#!/bin/bash
2
# USB forensics script
3

4
TIMEFRAME="$1"  # e.g., "2023-12-01"
5

6
echo "USB Forensic Timeline for $TIMEFRAME"
7
echo "===================================="
8

9
# Extract all USB events
10
grep "$TIMEFRAME" /var/log/usb_detect.json | \
11
    jq -r '.timestamp + " | " + .hostname + " | " + .user + " | " + .vendor + " " + .model + " | " + .serial' | \
12
    sort
13

14
# Correlate with file access logs
15
echo -e "\nCorrelated File Access:"
16
for serial in $(grep "$TIMEFRAME" /var/log/usb_detect.json | jq -r .serial | sort -u); do
17
    echo "Serial: $serial"
18
    ausearch -ts "$TIMEFRAME" -m PATH | grep -i "removable\|media\|mnt" | head -5
19
done

Integration Examples#

1. SIEM Integration#

1
#!/usr/bin/env python3
2
# Forward USB events to external SIEM
3

4
import json
5
import requests
6
from datetime import datetime
7

8
def forward_to_siem(event):
9
    siem_endpoint = "https://siem.company.com/api/events"
10
    headers = {"Authorization": "Bearer YOUR_API_KEY"}
11

12
    # Enrich event data
13
    event["severity"] = "high" if event.get("unauthorized") else "medium"
14
    event["category"] = "hardware.usb"
15
    event["source"] = "wazuh"
16

17
    response = requests.post(siem_endpoint, json=event, headers=headers)
18
    return response.status_code == 200
19

20
# Monitor Wazuh alerts
21
with open("/var/ossec/logs/alerts/alerts.json", "r") as f:
22
    for line in f:
23
        try:
24
            alert = json.loads(line)
25
            if "111010" <= alert["rule"]["id"] <= "111015":
26
                forward_to_siem(alert)
27
        except:
28
            continue

2. Ticketing System Integration#

1
#!/bin/bash
2
# Create ticket for unauthorized USB
3

4
ALERT_FILE="$1"
5
TICKET_API="https://tickets.company.com/api/v2/tickets"
6

7
# Extract alert details
8
HOSTNAME=$(jq -r .agent.name "$ALERT_FILE")
9
USB_INFO=$(jq -r '.data | "\(.vendor) \(.model) (Serial: \(.serial))"' "$ALERT_FILE")
10
USER=$(jq -r .data.user "$ALERT_FILE")
11

12
# Create ticket
13
curl -X POST "$TICKET_API" \
14
    -H "Content-Type: application/json" \
15
    -d "{
16
        \"title\": \"Unauthorized USB Device Detected\",
17
        \"description\": \"An unauthorized USB device was connected to $HOSTNAME by user $USER.\nDevice: $USB_INFO\",
18
        \"priority\": \"high\",
19
        \"category\": \"security_incident\"
20
    }"

Conclusion#

Implementing comprehensive USB monitoring on Linux systems with Wazuh provides organizations with:

✅ Complete visibility into USB device usage across all endpoints
🔒 Enhanced security through real-time threat detection
📊 Detailed forensics with comprehensive device information
🚀 Automated response capabilities for policy violations
🛡️ Protection against data exfiltration and malware introduction

By leveraging Linux’s powerful udev subsystem combined with Wazuh’s robust SIEM capabilities, organizations can maintain strict control over USB device usage while enabling legitimate business needs.

Key Takeaways#

udev Rules: Leverage Linux’s device management for detailed logging
JSON Logging: Structure logs for easy parsing and analysis
CDB Lists: Maintain centralized control of authorized devices
Custom Rules: Create targeted detection for your environment
Automation: Implement automated responses to security violations

Resources#

Secure your Linux infrastructure against USB threats. Monitor, detect, respond! 🐧🛡️