- Jamf Nation Community
- Products
- Jamf Pro
- Re: Anyone know how to audit/monitor USB devices t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Anyone know how to audit/monitor USB devices through Casper
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2012 07:18 AM
I have a business requirement to monitor USB devices in particular data sticks and external drives, connected to our Macs not to disable or review the content.
Simply to record the sort of info (see below) returned when I run
''system_profiler SPUSBDataType''
through ARD.
I may also need to gather data on the size of the data transferred and generate a report on the results.
Most of our users are on Snow Leopard 10.6x, though we are about to roll out some Lion hardware.
It occurs to me I cannot be the only person required to do something like this.
Any help or pointers gratefully received.
Cheers
Phil
>>>>>>>>>>>>>>>>>>>>>>
External HDD :
Capacity: 250.06 GB (250,059,350,016 bytes) Removable Media: Yes Detachable Drive: Yes BSD Name: disk2 Product ID: 0x0704 Vendor ID: 0x1058 (Western Digital Technologies, Inc.) Version: 1.05 Serial Number: 575848393038393536323631 Speed: Up to 480 Mb/sec Manufacturer: Western Digital Location ID: 0xfd100000 / 4 Current Available (mA): 500 Current Required (mA): 2 Partition Map Type: GPT (GUID Partition Table) S.M.A.R.T. status: Not Supported Volumes: Capacity: 209.7 MB (209,715,200 bytes) Writable: Yes BSD Name: disk2s1 Boot: Capacity: 32.77 GB (32,766,398,464 bytes) Available: 18.53 GB (18,528,997,376 bytes) Writable: Yes File System: Journaled HFS+ BSD Name: disk2s2 Mount Point: /Volumes/Boot Data : Capacity: 216.81 GB (216,814,759,936 bytes) Available: 172.73 GB (172,730,023,936 bytes) Writable: Yes File System: Journaled HFS+ BSD Name: disk2s3 Mount Point: /Volumes/Data
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2012 10:27 AM
Someone here may come up with some cool method, but that seems like a tall order. For one, system_profiler's output is such that gleaning the part you want from it is a PITA. Grep doesn't work well unless you also use the -A NUM option and capture a number of lines after your grep'ed expression, such as "Flash" or "External".
Problem is, the exact number of lines to grab can be variable, so it might be hard to get that to work without getting some extra garbage that has to go through further processing..
Then there's the issue of where to store it. Export to xml and upload to a server in the background perhaps? You can't drop that info into an EA since they can't handle that many lines of output.
It would be nice if system_profiler had some more flags for this, something like:
'system_profiler SPUSBDataType -externalOnly' and grab any external devices plugged into the USb hub.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2012 10:46 AM
You could use sed with start and end flags to capture information between known lines. Then use the jamf binary to mount a dropbox and copy to resulting file to it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-04-2012 11:45 AM
do you need *all* of that detail or just some?
what about using the jss's api to dump it into the db as a separate table or something?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2012 12:39 AM
rockpapergoat - Your right I do not need *all* the detail if possible just
Device Type
Device Size
And possibly 'volume of data transfer'
Hate to admit it but I think I'll fall back on known ground and run a scheduled report from ARD, dump the result to a file on a Mac server, then grep the results.
Or simply schedule a script based around the command
''diskutil list''
and run from ARD.
I'd hoped I'd find a more elegant solution within Casper.
Cheers
Phil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2012 07:07 AM
in the past, people who know casper exists but aren't familiar enough with how it works have asked me questions prefaced with "can casper do this…?"
there's a lot built into the casper suite, but for a lot of tasks, you have to make it go. i see it as mostly a central mechanism for collecting inventory and executing tasks. it's not really configuration management in the sense i think it should be done, more like some level of orchestration. if you're using ARD now, think of it along the same lines but with pull from clients instead of pushes.
cobble together something that works to get the details you need, then integrate it with casper.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-05-2012 08:20 AM
+1 to Nate
Casper (and you'll often hear JAMFs describe it like this) is the framework from which you hang the moving pieces. It's not the moving pieces but rather what it all attaches to.
If you think of Casper as just the piece that wrangles together what your Macs already do, I think you'll be in a better head-space as to what it can do for you.
For instance, if you've got Terminal configured with the "Active process name" box checked in the window settings, run a "jamf recon" and keep an eye on the Terminal window title. You'll see it cycle through commands your Mac already has to collect the inventory. It's just wrangling. :)
Casper gives you centrally administered admin access on your boxes. Go from there.
