When it is a systems administrator usually within lthe most everyday tasks they usually perform (in addition to the creation and recovery of email passwords), there is the maintenance and supervision of the equipment.
Where generally, to avoid so many problems, the functionalities of the equipment in terms of application installation are usually limited and in addition to making some restrictions within the business network. In these common tasks, many tend to underestimate the staff who uses the equipment, by only performing simple limitations.
Few administrators of systems who are in charge of Linux computers to compile the Kernel on their own to be able to perform the restrictions, where USB ports are generally bypassed.
This is where a great tool comes in. that I found on the net surfing. His name is usbrip, which in the words of its creator
"It is an open source forensic tool with CLI interface that allows you to keep track of USB device artifacts (ie USB event history) on Linux machines"
USBRip allows you to view more clearly quickly by analyzing the Linux logs. This little software written in pure Python 3 (using some external modules) that parses Linux log files ( / var / log / syslog * and / var / log / messages * depending on the distribution) to build USB event history tables.
Within the information you provide, the following is displayed: Date and time of login, user, provider ID, product ID, manufacturer, serial number, port and date and time of logout.
In addition, you can also:
- Export collected information as a JSON dump (and open such dumps, of course);
- generate a list of authorized (trusted) USB devices as JSON (call it auth.json).
- Search for "violation" events based on auth.json: show (or generate another with JSON) USB devices that appear in history and do not appear in auth.json.
- When installed with -s * it creates encrypted storages (7zip files) to back up and accumulate USB events automatically with the help of crontab. In addition to being able to search the additional details about a specific USB device based on its VID and / or PID.
How to install Usbrip on Linux?
For those who are interested in being able to install this tool, must have Python 3 installed on your system as well as pip (Python's package management system)
To install Usbrip just open a terminal and type the following command in it:
pip3 install usbrip
pip install terminaltables termcolor
pip install tqdm
Now in the same way they can download the project code and use the tool from there. To do this, they only have to type from a terminal:
git clone https://github.com/snovvcrash/usbrip.git usbrip
And then they enter the directory with:
cd usbrip
And we solve the dependencies with:
python3 -m venv venv && source venv/bin/activate
Usbrip usage
Using this tool is relatively straightforward. So that to see the history of events we just execute the following command:
usbrip events history
O
python3 usbrip.py events history
Where the events will be shown. In the same way, they can be filtered by days or a range of special.
E.g.
usbrip events history -e -d "Oct 10" "Oct 11" "Oct 12" "Oct 13" “Oct 14" "Oct 15"
O
python3 usbrip.py events history -e -d "Oct 10" "Oct 11" "Oct 12" "Oct 13" “Oct 14" "Oct 15"
With this action, the information of all the external USB devices connected to the equipment will be displayed during the period from Oct 10 to 15.
To work with filters. There are 4 types of filtering available: only external USB events (devices that can be easily removed -e); by date (-d); by fields (–user, –vid, –pid, –product, –manufact, –serial, –port) and by the number of inputs obtained as the output (-n).
To generate a JSON file with the events:
usbrip events gen_auth /ruta/para/el/archivo.json -a vid pid -n 10 -d '2019-10-30'
O
python3 usbrip.py events gen_auth /ruta/para/el/archivo.json -a vid pid -n 10 -d '2019-10-30'
Which will contain information on the first 10 devices connected on October 30, 2019.
If you want to know more about the use of this tool you can check the following link.