- Jamf Nation Community
- Products
- Jamf Pro
- Security Audit Of External Storage Devices
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Security Audit Of External Storage Devices
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-06-2012 05:12 AM
Problem
Trying to find out the risk of external Storage devices is very challenging.
Looking at the machines inventory in the JSS under Storage will only show the external storage devices captured at that time.
If a user plugs in a usb flash drive for example and recon hasn't run because it is set to run weekly or at an out of hours time frame, then this will never be picked up (not even in an extension attribute.
Solution
A script triggered by a launch daemon every time a volume is mounted to record it to a txt file and have an extension attribute (thanks very much Ryan) to read the text file when recon runs.
Script
####################################################################### Description ##################################################################
# #
# This is to write to a txt file of usb and # # firewire storage devices plugged in to # the machine to asses security vunerabilities. #
# #
# The txt file is created by a launch daemon to run this script when a volume is mounted and acts as a trigger. #
# #
# The txt file will then be uploaded to the jss when a recon inventory runs and is collected via an extension attribute to read the txt file. #
# #
######################################################################################################################################################
####################################################################### Setting Environment Variables#################################################
USB=`system_profiler SPUSBDataType | egrep 'Mount Point:|Capacity:|Available:|Partition Map Type:'`
FW=`system_profiler SPFireWireDataType | egrep 'Capacity:|Available:|Mount Point|File System:'`
DUMP_FILE="/var/tmp/drives.txt"
DUMP_FOLDER="/var/tmp/external_drives_monitor"
Return="echo >>/var/tmp/drives"
Date=`date "+%d-%m-%y_%H.%M"`
ConsoleUser=`ls -l /dev/console | cut -d " " -f4`
ECHO="/bin/echo"
######################################################################################################################################################
#!bin/bash
# Check to see if the drives.txt exists in the DUMP_FOLDER. If it does then move it to DUMP_File otherwise the txt file will not get appended.
if
ls /"${DUMP_FOLDER}"/drives.txt
then
mv "${DUMP_FOLDER}"/drives.txt /"${DUMP_FILE}"
# If the drives.txt doesn't exist just echo this
else
echo "drives.txt doesn't exist!"
fi
# Making the directory if it doesn't exist
mkdir "${DUMP_FOLDER}"
# Pause 2 seconds
sleep 2
# Check to see if there is a USB Storage device and if sowrite it to the txt file
if system_profiler SPUSBDataType | grep Capacity:
then
${ECHO} "${Date}" >> "${DUMP_FILE}"
${ECHO} "${ConsoleUser}" >> "${DUMP_FILE}"
${ECHO} "${USB}" >> "${DUMP_FILE}"
${ECHO} >>"${DUMP_FILE}"
fi
# Pause 2 seconds
sleep 2
# Check to see if there is a FireWire Storage device and if sowrite it to the txt file
if system_profiler SPFireWireDataType | grep Capacity:
then
${ECHO} "${Date}" >> "${DUMP_FILE}"
${ECHO} "${ConsoleUser}" >> "${DUMP_FILE}"
${ECHO} "${FW}" >> "${DUMP_FILE}"
${ECHO} >>"${DUMP_FILE}"
fi
# Pause 2 seconds
sleep 2
# moving the txt file to the DUMP_FOLDER
mv "${DUMP_FILE}" /"${DUMP_FOLDER}"/drives.txt
# for security changing ownership, read, write and execute permissions of the DUMP_FOLDER folder and all files within it so that only root and group admin have access
chown -R root:admin "${DUMP_FOLDER}"
chmod -R 770 "${DUMP_FOLDER}"
exit 0Extension Attribute
#!/bin/bash
drives=`cat /var/tmp/external_drives_monitor/drives.txt | tr "
" " "`
echo "<result>$drives</result>"
exit0Managing the massive text file
Because every time a volume is mounted any USB or FireWire storage device gets written to the text file, after a while this can get quite large.
This can be controlled to run a script to archive them to another location. I use an /etc/weekly.local file which runs after the inbuilt periodic weekly script. Thi is fine because the machines are set to power up 3am and shutdown 06.30 every day.
The Script
####################################################################### Description ##################################################################
# #
# This is move the drives.txt to an archive location on a weekly basis triggered by the /etc/weekly.local maintenance script. #
# #
######################################################################################################################################################
####################################################################### Setting Environment Variables#################################################
ARCHIVE_FOLDER="/var/tmp/weekly_drives_monitor_archive"
DUMP_FOLDER="/var/tmp/external_drives_monitor"
DUMP_FILE="/var/tmp/external_drives_monitor/drives.txt"
DATE=`date "+%d-%m-%y_%H.%M"`
######################################################################################################################################################
#!/bin/bash
# Making the directory if it doesn't exist
mkdir "${ARCHIVE_FOLDER}"
# Pause 2 seconds
sleep 2
# moving the txt file to the ARCHIVE_FOLDER
mv "${DUMP_FILE}" /"${ARCHIVE_FOLDER}"/"${DATE}"_drive.txt
# Pause 2 seconds
sleep 2
# For Security changing ownership, read, write and execute permissions of the ARCHIVE_FOLDER folder and all files within it so that only root and group admin have access
chown -R root:admin "${ARCHIVE_FOLDER}"
chmod -R 770 "${ARCHIVE_FOLDER}"
exit 0
0 REPLIES 0
