CSA 5.2: Logging removable media

JayB1rd76 · ‎02-10-2010

We are currently using CSA 5.2 and I'm trying to figure out a way to log whenever a user attempts to use removable media on the network. Specifically, USB flash drives. I know there is already a data theft prevention module that protects sensitive data and applications, but I'm trying to log any and all access, even if they just plug the drive in and do nothing with it. Is this even possible? If not, is it possible with newer versions?

Thank you,

Jason

tsteger1 · ‎02-18-2010

Create a file set called USB

Directories:

Include

@removable:\**

Exclude

@floppy:\**
@cd:\**
@network:\**

Files

Create a File Access Control rule and set it to monitor this file set and you should see all USB drives plugged in to your hosts.

Tom

JayB1rd76 · ‎02-26-2010

Thanks Tom,

I'm pretty sure I tried something similar before, but I tried it exactly as you've shown here and I still get nothing. I tried plugging a usb drive into a pc while logged in as a regular user and CSA still didn't pick anything up. I've attached a screenshot of the rule as I created it. What I was unsure of was what I should set the enforcement action as and what to set the Application Class as:

In this case I've set the Application Class as "All Applications" and "Applications on Removable Media" . In both cases, I couldn't get CSA to detect anything for USB drives.

Thanks again,

Jason

tsteger1 · ‎03-01-2010

It would need to be and the fileset would need to be as I described it.

It is working for me on 5.2.262.

Here are screenshots of my rule and fileset.

JayB1rd76 · ‎03-08-2010

I set mine up exactly as your screenshots show. Still nothing. I'm using 5.2.203. I think it may be that I need to update our version.

tsteger1 · ‎03-08-2010

Well, I can't explain it.

You can check the release notes to see if something like that was fixed in later versions.

You may also have something else stepping on it.