Monitoring USB Drives in macOS Using Wazuh#

Introduction#

USB drives are essential tools for transferring files on macOS systems, providing a quick and simple way to share documents, photos, and more between devices. Their plug-and-play nature makes them incredibly convenient for users. However, this convenience comes with significant security risks. USB drives can carry malware, potentially compromising your macOS systems and spreading threats across your network.

Organizations must proactively implement real-time tracking and analysis of USB drive activities to effectively address these security concerns. Wazuh provides a robust solution for enhancing macOS security by:

🔍 Real-time USB Monitoring: Track all USB device connections and disconnections
🚨 Anomaly Detection: Identify unauthorized or suspicious USB activities
📊 Detailed Event Logging: Capture comprehensive device information
🛡️ Policy Enforcement: Implement and monitor USB security policies
📈 Centralized Visibility: Monitor USB activities across all macOS endpoints

Understanding the Challenge#

Security Risks of USB Drives#

1
flowchart TB
2
    subgraph "USB Security Threats"
3
        T1[Malware Distribution]
4
        T2[Data Exfiltration]
5
        T3[Unauthorized Access]
6
        T4[BadUSB Attacks]
7
        T5[Social Engineering]
8
    end
9

10
    subgraph "Impact on Organization"
11
        I1[System Compromise]
12
        I2[Data Breach]
13
        I3[Network Infection]
14
        I4[Compliance Violations]
15
    end
16

17
    T1 --> I1
18
    T1 --> I3
19
    T2 --> I2
20
    T3 --> I2
21
    T3 --> I4
22
    T4 --> I1
23
    T5 --> I1
24

25
    style T1 fill:#ff6b6b
26
    style T2 fill:#ff6b6b
27
    style T3 fill:#ff6b6b
28
    style T4 fill:#ff6b6b
29
    style T5 fill:#ff6b6b

macOS USB Architecture#

1
flowchart LR
2
    subgraph "macOS USB Stack"
3
        U1[USB Device] --> K1[Kernel Driver]
4
        K1 --> I1[IOKit Framework]
5
        I1 --> U2[User Space]
6
    end
7

8
    subgraph "Wazuh Integration"
9
        U2 --> S1[Swift Monitor]
10
        S1 --> L1[Log File]
11
        L1 --> W1[Wazuh Agent]
12
        W1 --> W2[Wazuh Server]
13
    end
14

15
    style I1 fill:#4dabf7
16
    style S1 fill:#51cf66
17
    style W2 fill:#ffd43b

Infrastructure Requirements#

For this implementation, you’ll need:

Wazuh Server: Pre-built OVA 4.7.2 with all core components
macOS Endpoint: macOS Sonoma 14.3 with Wazuh agent 4.7.2 installed
Development Tools: Xcode command line tools for Swift compilation
Network: Connectivity between macOS endpoints and Wazuh server

Implementation Guide#

Phase 1: Configure Swift USB Monitor#

Install Development Tools#

1
# Install Xcode command line tools
2
xcode-select --install
3

4
# Verify Swift compiler installation
5
swiftc --version

Expected output:

1
Apple Swift version 5.9.2 (swiftlang-5.9.2.2.56 clang-1500.1.0.2.5)
2
Target: x86_64-apple-darwin23.3.0

Prepare Logging Infrastructure#

1
# Create USB monitor log file
2
touch /var/log/usb_monitor.log
3

4
# Set appropriate permissions
5
chmod 640 /var/log/usb_monitor.log
6

7
# Download USB vendor/product database
8
curl http://www.linux-usb.org/usb.ids -o /Library/Ossec/etc/usb.ids
9

10
# Fix potential encoding issues
11
iconv -f iso-8859-1 -t utf-8 /Library/Ossec/etc/usb.ids > usb-utf8.ids && \
12
mv usb-utf8.ids /Library/Ossec/etc/usb.ids

Create USB Monitor Script#

Create /Library/Ossec/etc/USBMonitor.swift:

1
import Foundation
2
import IOKit
3
import IOKit.usb
4

5
// USB Event structure for JSON logging
6
struct USBEvent: Codable {
7
    var eventType: String
8
    var timestamp: String
9
    var deviceInfo: [String: String]
10

11
    init(eventType: String, deviceInfo: [String: String]) {
12
        self.eventType = eventType
13
        self.deviceInfo = deviceInfo
14
        self.timestamp = USBEvent.currentLocalTimestamp()
15
    }
16

17
    private static func currentLocalTimestamp() -> String {
18
        let formatter = DateFormatter()
19
        formatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSZZZZZ"
20
        formatter.timeZone = TimeZone.current
21
        return formatter.string(from: Date())
22
    }
23
}
24

25
// Vendor/Product mapping
26
var usbVendorProductMap = [String: [String: String]]()
27

28
// Parse USB IDs database
29
func parseUSBIDs(from filePath: String) {
30
    do {
31
        let content = try String(contentsOfFile: filePath, encoding: .utf8)
32
        var currentVendorID: String?
33

34
        for line in content.split(whereSeparator: \.isNewline) {
35
            let trimmedLine = line.trimmingCharacters(in: .whitespaces)
36
            if trimmedLine.isEmpty || trimmedLine.hasPrefix("#") { continue }
37

38
            if line.first!.isNumber {
39
                let components = trimmedLine.split(separator: " ", maxSplits: 1)
40
                if components.count == 2 {
41
                    currentVendorID = String(components[0])
42
                    let vendorName = String(components[1])
43
                    usbVendorProductMap[currentVendorID!] = ["": vendorName]
44
                }
45
            } else if line.first == "\t", let vendorID = currentVendorID {
46
                let components = trimmedLine.split(separator: " ", maxSplits: 1)
47
                if components.count == 2 {
48
                    let productID = String(components[0])
49
                    let productName = String(components[1])
50
                    usbVendorProductMap[vendorID]?[productID] = productName
51
                }
52
            }
53
        }
54
    } catch {
55
        print("Failed to read or parse USB IDs file: \(error)")
56
    }
57
}
58

59
// Log USB events to file
60
func logUSBEvent(event: USBEvent, to filePath: String) {
61
    let encoder = JSONEncoder()
62
    if let jsonData = try? encoder.encode(event),
63
       let jsonString = String(data: jsonData, encoding: .utf8) {
64
        do {
65
            try jsonString.appendLineToURL(fileURL: URL(fileURLWithPath: filePath))
66
        } catch {
67
            print("Failed to write to log file: \(error)")
68
        }
69
    }
70
}
71

72
// File writing extensions
73
extension String {
74
    func appendLineToURL(fileURL: URL) throws {
75
        try (self + "\n").appendToFile(fileURL: fileURL)
76
    }
77

78
    func appendToFile(fileURL: URL) throws {
79
        let data = self.data(using: .utf8)!
80
        try data.append(fileURL: fileURL)
81
    }
82
}
83

84
extension Data {
85
    func append(fileURL: URL) throws {
86
        if let fileHandle = FileHandle(forWritingAtPath: fileURL.path) {
87
            defer { fileHandle.closeFile() }
88
            fileHandle.seekToEndOfFile()
89
            fileHandle.write(self)
90
        } else {
91
            try write(to: fileURL, options: .atomic)
92
        }
93
    }
94
}
95

96
// Extract device information using IOKit
97
func extractDeviceInfo(device: io_object_t) -> [String: String] {
98
    var deviceInfo = [String: String]()
99

100
    let vendorIDKey = kUSBVendorID as String
101
    let productIDKey = kUSBProductID as String
102
    let serialNumberKey = kUSBSerialNumberString as String
103

104
    // Extract Vendor ID
105
    if let vendorIDRef = IORegistryEntrySearchCFProperty(
106
        device, kIOServicePlane, vendorIDKey as CFString,
107
        kCFAllocatorDefault,
108
        IOOptionBits(kIORegistryIterateRecursively | kIORegistryIterateParents)
109
    ), CFGetTypeID(vendorIDRef) == CFNumberGetTypeID() {
110
        var vendorID: Int = 0
111
        CFNumberGetValue((vendorIDRef as! CFNumber), CFNumberType.intType, &vendorID)
112
        let hexVendorID = String(format: "%04x", vendorID)
113
        deviceInfo[vendorIDKey] = hexVendorID
114

115
        if let vendorName = usbVendorProductMap[hexVendorID]?[""] {
116
            deviceInfo["vendorName"] = vendorName
117
        }
118
    }
119

120
    // Extract Product ID
121
    if let productIDRef = IORegistryEntrySearchCFProperty(
122
        device, kIOServicePlane, productIDKey as CFString,
123
        kCFAllocatorDefault,
124
        IOOptionBits(kIORegistryIterateRecursively | kIORegistryIterateParents)
125
    ), CFGetTypeID(productIDRef) == CFNumberGetTypeID() {
126
        var productID: Int = 0
127
        CFNumberGetValue((productIDRef as! CFNumber), CFNumberType.intType, &productID)
128
        let hexProductID = String(format: "%04x", productID)
129
        deviceInfo[productIDKey] = hexProductID
130

131
        if let vendorID = deviceInfo[vendorIDKey],
132
           let productName = usbVendorProductMap[vendorID]?[hexProductID] {
133
            deviceInfo["productName"] = productName
134
        }
135
    }
136

137
    // Extract Serial Number
138
    if let serialNumberRef = IORegistryEntrySearchCFProperty(
139
        device, kIOServicePlane, serialNumberKey as CFString,
140
        kCFAllocatorDefault,
141
        IOOptionBits(kIORegistryIterateRecursively | kIORegistryIterateParents)
142
    ) as? String {
143
        deviceInfo[serialNumberKey] = serialNumberRef
144
    }
145

146
    return deviceInfo
147
}
148

149
// USB device callback
150
func usbDeviceCallback(context: UnsafeMutableRawPointer?,
151
                      iterator: io_iterator_t,
152
                      eventType: String) {
153
    var device: io_object_t
154
    repeat {
155
        device = IOIteratorNext(iterator)
156
        if device != 0 {
157
            let deviceInfo = extractDeviceInfo(device: device)
158
            let event = USBEvent(eventType: eventType, deviceInfo: deviceInfo)
159
            logUSBEvent(event: event, to: "/var/log/usb_monitor.log")
160
            IOObjectRelease(device)
161
        }
162
    } while device != 0
163
}
164

165
// Main monitoring setup
166
let notifyPort = IONotificationPortCreate(kIOMainPortDefault)
167
let runLoopSource = IONotificationPortGetRunLoopSource(notifyPort).takeRetainedValue()
168
CFRunLoopAddSource(CFRunLoopGetCurrent(), runLoopSource, CFRunLoopMode.defaultMode)
169

170
// Parse USB IDs database
171
parseUSBIDs(from: "/Library/Ossec/etc/usb.ids")
172

173
// Setup device notifications
174
var deviceAddedIter = io_iterator_t()
175
var deviceRemovedIter = io_iterator_t()
176
let matchingDict = IOServiceMatching(kIOUSBDeviceClassName) as NSMutableDictionary
177

178
// Monitor device connections
179
IOServiceAddMatchingNotification(notifyPort, kIOFirstMatchNotification, matchingDict,
180
    { (context, iterator) in
181
        usbDeviceCallback(context: context, iterator: iterator, eventType: "USBConnected")
182
    }, nil, &deviceAddedIter)
183
usbDeviceCallback(context: nil, iterator: deviceAddedIter, eventType: "USBConnected")
184

185
// Monitor device disconnections
186
IOServiceAddMatchingNotification(notifyPort, kIOTerminatedNotification, matchingDict,
187
    { (context, iterator) in
188
        usbDeviceCallback(context: context, iterator: iterator, eventType: "USBDisconnected")
189
    }, nil, &deviceRemovedIter)
190
usbDeviceCallback(context: nil, iterator: deviceRemovedIter, eventType: "USBDisconnected")
191

192
// Run the monitoring loop
193
CFRunLoopRun()

Note: For macOS 11 and earlier, replace kIOMainPortDefault with kIOMasterPortDefault.

Compile and Test#

1
# Compile the Swift script
2
swiftc /Library/Ossec/etc/USBMonitor.swift -o /Library/Ossec/etc/USBMonitor
3

4
# Test the executable
5
/Library/Ossec/etc/USBMonitor

Phase 2: Configure Wazuh Agent#

Forward USB Logs#

Add to /Library/Ossec/etc/ossec.conf:

1
<ossec_config>
2
  <localfile>
3
    <log_format>json</log_format>
4
    <location>/var/log/usb_monitor.log</location>
5
  </localfile>
6
</ossec_config>

Restart the agent:

1
/Library/Ossec/bin/wazuh-control restart

Phase 3: Automate with LaunchDaemon#

Create Launch Configuration#

Create /Library/LaunchDaemons/com.user.usbmonitor.plist:

1
<?xml version="1.0" encoding="UTF-8"?>
2
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
3
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
4
<plist version="1.0">
5
<dict>
6
    <key>Label</key>
7
    <string>com.user.usbmonitor</string>
8
    <key>ProgramArguments</key>
9
    <array>
10
        <string>/Library/Ossec/etc/USBMonitor</string>
11
    </array>
12
    <key>RunAtLoad</key>
13
    <true/>
14
    <key>KeepAlive</key>
15
    <true/>
16
</dict>
17
</plist>

Load the daemon:

1
launchctl load /Library/LaunchDaemons/com.user.usbmonitor.plist

Phase 4: Configure Wazuh Server#

Create Detection Rules#

Create /var/ossec/etc/rules/macos_usb_rules.xml:

1
<!-- rules for USB drives in macOS -->
2
<group name="macOS,usb-detect,">
3
  <!-- rule for connected USB drives -->
4
  <rule id="111060" level="7">
5
    <decoded_as>json</decoded_as>
6
    <field name="eventType">^USBConnected$</field>
7
    <description>macOS: USB drive $(deviceInfo.productName) was connected.</description>
8
  </rule>
9

10
  <!-- rule for disconnected USB drives -->
11
  <rule id="111062" level="7">
12
    <decoded_as>json</decoded_as>
13
    <field name="eventType">^USBDisconnected$</field>
14
    <description>macOS: USB drive $(deviceInfo.productName) was disconnected.</description>
15
  </rule>
16
</group>

Restart Wazuh manager:

1
systemctl restart wazuh-manager

Advanced Configuration#

Filtering Authorized vs Unauthorized USB Drives#

Create CDB List#

Create /var/ossec/etc/lists/usb-drives with authorized serial numbers:

1
234567890126:
2
345678901237:
3
456789012348:

Update Configuration#

Add to /var/ossec/etc/ossec.conf:

1
<ruleset>
2
  <!-- Existing configuration -->
3
  <list>etc/lists/usb-drives</list>
4
</ruleset>

Enhanced Detection Rules#

Update /var/ossec/etc/rules/macos_usb_rules.xml:

1
<!-- rules for USB drives in macOS -->
2
<group name="macOS,usb-detect,">
3
  <!-- rule for connected USB drives -->
4
  <rule id="111060" level="5">
5
    <decoded_as>json</decoded_as>
6
    <field name="eventType">^USBConnected$</field>
7
    <description>macOS: USB drive $(deviceInfo.productName) was connected.</description>
8
  </rule>
9

10
  <!-- rule for connected unauthorized USB drives -->
11
  <rule id="111061" level="8">
12
    <if_sid>111060</if_sid>
13
    <list field="deviceInfo.kUSBSerialNumberString" lookup="not_match_key">
14
      etc/lists/usb-drives
15
    </list>
16
    <description>macOS: Unauthorized USB drive $(deviceInfo.productName) was connected.</description>
17
  </rule>
18

19
  <!-- rule for disconnected USB drives -->
20
  <rule id="111062" level="5">
21
    <decoded_as>json</decoded_as>
22
    <field name="eventType">^USBDisconnected$</field>
23
    <description>macOS: USB drive $(deviceInfo.productName) was disconnected.</description>
24
  </rule>
25

26
  <!-- rule for disconnected unauthorized USB drives -->
27
  <rule id="111063" level="8">
28
    <if_sid>111062</if_sid>
29
    <list field="deviceInfo.kUSBSerialNumberString" lookup="not_match_key">
30
      etc/lists/usb-drives
31
    </list>
32
    <description>macOS: Unauthorized USB drive $(deviceInfo.productName) was disconnected.</description>
33
  </rule>
34
</group>

Additional Security Rules#

1
<!-- Advanced USB monitoring rules -->
2
<group name="macOS,usb-detect,">
3
  <!-- Detect specific vendor devices -->
4
  <rule id="111064" level="9">
5
    <if_sid>111060</if_sid>
6
    <field name="deviceInfo.vendorName">^(Unknown|Suspicious)$</field>
7
    <description>macOS: Suspicious USB vendor detected: $(deviceInfo.vendorName)</description>
8
  </rule>
9

10
  <!-- Detect devices without serial numbers -->
11
  <rule id="111065" level="7">
12
    <if_sid>111060</if_sid>
13
    <field name="deviceInfo.kUSBSerialNumberString">^$</field>
14
    <description>macOS: USB device without serial number connected</description>
15
  </rule>
16

17
  <!-- Multiple USB connections alert -->
18
  <rule id="111066" level="8" frequency="5" timeframe="60">
19
    <if_sid>111060</if_sid>
20
    <description>macOS: Multiple USB devices connected in short time</description>
21
  </rule>
22
</group>

Monitoring and Response#

Real-time Dashboard Monitoring#

1
flowchart TB
2
    subgraph "Wazuh Dashboard"
3
        D1[USB Activity Overview]
4
        D2[Unauthorized Devices]
5
        D3[Device History]
6
        D4[Alert Timeline]
7
    end
8

9
    subgraph "Alert Categories"
10
        A1[Connected Devices]
11
        A2[Disconnected Devices]
12
        A3[Unauthorized Access]
13
        A4[Suspicious Activity]
14
    end
15

16
    D1 --> A1
17
    D2 --> A3
18
    D3 --> A1
19
    D3 --> A2
20
    D4 --> A4
21

22
    style D2 fill:#ff6b6b
23
    style A3 fill:#ff6b6b
24
    style A4 fill:#ffd43b

Alert Examples#

Authorized USB Connection#

1
{
2
  "eventType": "USBConnected",
3
  "timestamp": "2024-02-02T10:15:30.123+00:00",
4
  "deviceInfo": {
5
    "kUSBVendorID": "0781",
6
    "vendorName": "SanDisk Corp.",
7
    "kUSBProductID": "5581",
8
    "productName": "Ultra",
9
    "kUSBSerialNumberString": "234567890126"
10
  }
11
}

Unauthorized USB Detection#

1
{
2
  "eventType": "USBConnected",
3
  "timestamp": "2024-02-02T10:20:45.456+00:00",
4
  "deviceInfo": {
5
    "kUSBVendorID": "abcd",
6
    "vendorName": "Unknown",
7
    "kUSBProductID": "1234",
8
    "productName": "Mass Storage",
9
    "kUSBSerialNumberString": "999888777666"
10
  }
11
}

Troubleshooting#

Common Issues and Solutions#

Issue 1: Swift Compilation Errors#

1
# Check Swift version
2
swiftc --version
3

4
# For older macOS versions, update IOKit references
5
# Replace: kIOMainPortDefault
6
# With: kIOMasterPortDefault

Issue 2: USB IDs File Encoding#

1
# Fix encoding issues
2
iconv -f iso-8859-1 -t utf-8 /Library/Ossec/etc/usb.ids > usb-utf8.ids
3
mv usb-utf8.ids /Library/Ossec/etc/usb.ids

Issue 3: Permission Denied#

1
# Fix log file permissions
2
sudo chmod 640 /var/log/usb_monitor.log
3
sudo chown root:wheel /var/log/usb_monitor.log
4

5
# Fix executable permissions
6
sudo chmod 755 /Library/Ossec/etc/USBMonitor

Issue 4: LaunchDaemon Not Running#

1
# Check daemon status
2
launchctl list | grep usbmonitor
3

4
# Reload if needed
5
launchctl unload /Library/LaunchDaemons/com.user.usbmonitor.plist
6
launchctl load /Library/LaunchDaemons/com.user.usbmonitor.plist
7

8
# Check logs
9
tail -f /var/log/system.log | grep USBMonitor

Best Practices#

1. USB Security Policy#

1
USB Security Policy:
2
  Authorized Devices:
3
    - Maintain whitelist of serial numbers
4
    - Regular audit of authorized devices
5
    - Document business justification
6

7
  Monitoring:
8
    - Real-time alerts for all connections
9
    - Daily reports of USB activity
10
    - Weekly review of unauthorized attempts
11

12
  Response:
13
    - Immediate alert for unauthorized devices
14
    - Automatic incident ticket creation
15
    - User notification and education

2. Integration with SOAR#

1
# Example: Wazuh to SOAR integration for USB alerts
2
def process_usb_alert(alert):
3
    if alert['rule']['id'] == '111061':  # Unauthorized USB
4
        # Create security incident
5
        incident = {
6
            'title': f"Unauthorized USB: {alert['data']['deviceInfo']['productName']}",
7
            'severity': 'high',
8
            'host': alert['agent']['name'],
9
            'serial': alert['data']['deviceInfo']['kUSBSerialNumberString']
10
        }
11

12
        # Trigger automated response
13
        if is_critical_system(alert['agent']['name']):
14
            disable_usb_ports(alert['agent']['ip'])
15
            notify_security_team(incident)

3. Compliance Reporting#

Generate compliance reports for USB activity:

1
#!/bin/bash
2
# Generate monthly USB activity report
3

4
echo "=== Monthly USB Activity Report ==="
5
echo "Generated: $(date)"
6
echo ""
7

8
# Authorized USB connections
9
echo "Authorized USB Connections:"
10
curl -k -u admin:admin \
11
  "https://wazuh-server:55000/security/events?rule.id=111060&time_frame=30d" | \
12
  jq '.data.affected_items[] | select(.data.deviceInfo.kUSBSerialNumberString as $s |
13
    ["234567890126", "345678901237"] | index($s))'
14

15
# Unauthorized attempts
16
echo -e "\nUnauthorized USB Attempts:"
17
curl -k -u admin:admin \
18
  "https://wazuh-server:55000/security/events?rule.id=111061&time_frame=30d" | \
19
  jq '.data.affected_items[]'

Performance Optimization#

1. Log Rotation#

Configure log rotation for USB monitor logs:

1
/var/log/usb_monitor.log    640  5  1000  *  J

2. Memory Management#

Monitor Swift process memory usage:

1
# Check memory usage
2
ps aux | grep USBMonitor
3

4
# Add memory limits to plist if needed
5
<key>HardResourceLimits</key>
6
<dict>
7
    <key>AS</key>
8
    <integer>104857600</integer>  <!-- 100MB limit -->
9
</dict>

Use Cases#

1. Data Loss Prevention#

1
<rule id="111067" level="10">
2
  <if_sid>111060</if_sid>
3
  <field name="deviceInfo.productName">~(External|Portable|Backup)</field>
4
  <time>8:00-18:00</time>
5
  <description>macOS: High-capacity storage device connected during business hours</description>
6
  <options>alert_by_email</options>
7
</rule>

2. Forensic Investigation#

1
-- Query USB activity for specific timeframe
2
SELECT
3
    timestamp,
4
    agent.name as hostname,
5
    data.deviceInfo.productName as device,
6
    data.deviceInfo.kUSBSerialNumberString as serial,
7
    rule.description
8
FROM
9
    wazuh-alerts-*
10
WHERE
11
    rule.groups CONTAINS 'usb-detect'
12
    AND timestamp >= '2024-02-01'
13
    AND timestamp <= '2024-02-02'
14
ORDER BY
15
    timestamp DESC;

3. Insider Threat Detection#

1
# Detect unusual USB activity patterns
2
def detect_usb_anomalies(agent_id, timeframe='7d'):
3
    # Get baseline USB activity
4
    baseline = get_usb_baseline(agent_id)
5

6
    # Get current activity
7
    current = get_current_usb_activity(agent_id, timeframe)
8

9
    # Detect anomalies
10
    if current['unique_devices'] > baseline['avg_devices'] * 2:
11
        alert("Unusual number of USB devices detected")
12

13
    if current['after_hours_connections'] > baseline['after_hours_avg']:
14
        alert("Suspicious after-hours USB activity")

Conclusion#

Implementing USB monitoring on macOS with Wazuh provides organizations with:

✅ Complete visibility into USB device usage
🔒 Enhanced security through real-time threat detection
📊 Compliance support with detailed audit trails
🚀 Automated response capabilities
🛡️ Protection against data exfiltration and malware

By combining macOS’s IOKit framework with Wazuh’s powerful SIEM capabilities, organizations can maintain a robust security posture against USB-based threats while enabling legitimate business use of removable media.

Key Takeaways#

Swift Integration: Leverage macOS native frameworks for deep system integration
Real-time Monitoring: Capture all USB events as they occur
Policy Enforcement: Implement whitelist/blacklist controls
Automated Response: React immediately to security violations
Comprehensive Logging: Maintain detailed forensic evidence

Resources#

Secure your Mac fleet against USB threats. Monitor, detect, respond! 🍎🛡️