监控 USB 闪存驱动器的历史记录

监控 USB 闪存驱动器的历史记录

我必须为我们的互联网服务器设置一个监控系统,以监控哪些 USB 闪存驱动器(笔式驱动器)被安装和卸载以及何时安装和卸载。(这是为了避免误用,并捕获哪个未经授权的设备已连接。)

有没有任何方法可以监控闪存驱动器信息,例如:a)序列号,b)制造商,c)型号,d)容量e)标签f)安装/卸载时间等,并存储它,以查看有关它的历史记录?

我知道有很多命令可以监控当前安装的 USB 设备。喜欢lsusblshw。但我如何存储这些信息。

答案1

嗯,据我所知,还没有现成的软件。但您可以编写自己的脚本,当从 USB 端口插入或拔出随身碟时,该脚本将会启动。如果您将其添加到以下内容,则该脚本将由 udev 运行/etc/udev/rules/99-local.rules

ACTION=="add|remove", SUBSYSTEM=="block", KERNEL=="sd*", RUN+="/usr/local/bin/usb-add.sh"

然后在此脚本中您将拥有以下环境变量:

ACTION=add (or remove)
DEVLINKS='/dev/disk/by-id/usb-TDK_LoR_TF10_0703293903BE2444-0:0 /dev/disk/by-path/pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0'
DEVNAME=/dev/sdf
DEVPATH=/devices/pci0000:00/0000:00:16.2/usb7/7-1/7-1.1/7-1.1:1.0/host14/target14:0:0/14:0:0:0/block/sdf
DEVTYPE=disk ← this is important to check in script
ID_BUS=usb ← this is important to check in script
ID_FS_TYPE=
ID_INSTANCE=0:0
ID_MODEL=TF10 ← model
ID_MODEL_ENC='TF10\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ID_MODEL_ID=070a
ID_PART_TABLE_TYPE=dos
ID_PART_TABLE_UUID=686bc5da
ID_PATH=pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0
ID_PATH_TAG=pci-0000_00_16_2-usb-0_1_1_1_0-scsi-0_0_0_0
ID_REVISION=PMAP
ID_SERIAL=TDK_LoR_TF10_0703293903BE2444-0:0
ID_SERIAL_SHORT=0703293903BE2444 ← serial number
ID_TYPE=disk
ID_USB_DRIVER=usb-storage
ID_USB_INTERFACES=:080650:
ID_USB_INTERFACE_NUM=00
ID_VENDOR=TDK_LoR ← vendor
ID_VENDOR_ENC='TDK\x20LoR\x20'
ID_VENDOR_ID=0718

您可以使用以下方法检查 U 盘:

fdisk -l ${DEVNAME}

获取容量和分区布局。并做各种类似的事情。您可以将信息存储在文件或数据库中。一切都取决于你。如果您愿意,您甚至可以通过发送 SCSI STOP UNIT 并从系统中删除该驱动器来拒绝对此设备的访问。

检查仅检查 USB 设备也很重要${ID_BUS}。检查这一点很重要,${DEVTYPE}因为还将为 USB 设备上的每个分区调用该脚本:

DEVLINKS='/dev/disk/by-id/usb-TDK_LoR_TF10_0703293903BE2444-0:0-part1 /dev/disk/by-label/BACKUPS /dev/disk/by-path/pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0-part1 /dev/disk/by-uuid/0FAA-E0EB'
DEVNAME=/dev/sdf1
DEVPATH=/devices/pci0000:00/0000:00:16.2/usb7/7-1/7-1.1/7-1.1:1.0/host18/target18:0:0/18:0:0:0/block/sdf/sdf1
DEVTYPE=partition
ID_BUS=usb
ID_FS_LABEL=BACKUPS ← filesystem label
ID_FS_LABEL_ENC=BACKUPS
ID_FS_TYPE=vfat
ID_FS_USAGE=filesystem
ID_FS_UUID=0FAA-E0EB
ID_FS_UUID_ENC=0FAA-E0EB
ID_FS_VERSION=FAT32
ID_INSTANCE=0:0
ID_MODEL=TF10
ID_MODEL_ENC='TF10\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ID_MODEL_ID=070a
ID_PART_ENTRY_DISK=8:80
ID_PART_ENTRY_NUMBER=1
ID_PART_ENTRY_OFFSET=2048
ID_PART_ENTRY_SCHEME=dos
ID_PART_ENTRY_SIZE=15104000 ← size ;)
ID_PART_ENTRY_TYPE=0xc
ID_PART_ENTRY_UUID=686bc5da-01
ID_PART_TABLE_TYPE=dos
ID_PART_TABLE_UUID=686bc5da
ID_PATH=pci-0000:00:16.2-usb-0:1.1:1.0-scsi-0:0:0:0
ID_PATH_TAG=pci-0000_00_16_2-usb-0_1_1_1_0-scsi-0_0_0_0
ID_REVISION=PMAP
ID_SERIAL=TDK_LoR_TF10_0703293903BE2444-0:0
ID_SERIAL_SHORT=0703293903BE2444
ID_TYPE=disk
ID_USB_DRIVER=usb-storage
ID_USB_INTERFACES=:080650:
ID_USB_INTERFACE_NUM=00
ID_VENDOR=TDK_LoR
ID_VENDOR_ENC='TDK\x20LoR\x20'
ID_VENDOR_ID=0718

${DEVTYPE}=disk也许在存储有关所有分区的信息时限制访问是一个好主意– ${DEVTYPE}=partition

HTH,干杯

答案2

您需要修改USB设备挂载和卸载的udev规则。

安装规则将从命令中获取输出,例如udevadm info -a -n device_name ; date

卸载规则也会使用类似的命令进行卸载。

(到目前为止,我无法编写确切的规则,因此仅给出您可以采取行动的方向)

答案3

您可以尝试在以下位置搜索 usb 相关信息“/var/log/系统日志”。每次连接 USB 设备时,此日志文件都会存储一条信息。例如,当我连接 USB 密钥时:

Sep  3 09:02:00 LIMLD005 kernel: [ 1612.825433] usb 1-1.5: new high-speed USB device number 4 using ehci-pci
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.919570] usb 1-1.5: New USB device found, idVendor=13fe, idProduct=5200
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.919577] usb 1-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.919581] usb 1-1.5: Product: DataTraveler 111
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.919584] usb 1-1.5: Manufacturer: Kingston
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.919587] usb 1-1.5: SerialNumber: 485B39D31C4CECC0D0000450
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.919885] usb-storage 1-1.5:1.0: USB Mass Storage device detected
Sep  3 09:02:00 LIMLD005 kernel: [ 1612.920043] scsi10 : usb-storage 1-1.5:1.0
Sep  3 09:02:00 LIMLD005 mtp-probe: checking bus 1, device 4: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.5"
Sep  3 09:02:00 LIMLD005 mtp-probe: bus: 1, device: 4 was not an MTP device
Sep  3 09:02:01 LIMLD005 kernel: [ 1613.918015] scsi 10:0:0:0: Direct-Access     Kingston DataTraveler 111 PMAP PQ: 0 ANSI: 6
Sep  3 09:02:01 LIMLD005 kernel: [ 1613.918513] sd 10:0:0:0: Attached scsi generic sg6 type 0
Sep  3 09:02:01 LIMLD005 kernel: [ 1613.919043] sd 10:0:0:0: [sdf] 60599040 512-byte logical blocks: (31.0 GB/28.8 GiB)
Sep  3 09:02:01 LIMLD005 kernel: [ 1613.919817] sd 10:0:0:0: [sdf] Write Protect is off
Sep  3 09:02:01 LIMLD005 kernel: [ 1613.919823] sd 10:0:0:0: [sdf] Mode Sense: 45 00 00 00
Sep  3 09:02:01 LIMLD005 kernel: [ 1613.921062] sd 10:0:0:0: [sdf] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA
Sep  3 09:02:01 LIMLD005 kernel: [ 1614.180902]  sdf: sdf1
Sep  3 09:02:01 LIMLD005 kernel: [ 1614.184007] sd 10:0:0:0: [sdf] Attached SCSI removable disk
Sep  3 09:02:02 LIMLD005 udisksd[2480]: Mounted /dev/sdf1 at /media/foobar/KINGSTON on behalf of uid 1000

您所要做的就是编写一个脚本来根据您的喜好使用这些信息。如以下命令行,它将为您提供基本信息:

grep usb-storage /var/log/syslog

相关内容