This report template was designed to detail USB drive usage. For information on how the Tenable USM product suite produces the data for the template the YouTube video SecurityCenter 4.2 USB Device Auditing is very informative. The Tenable blog post USB Device History Auditing with Nessus is also a good source of information. The sample above was cut from one of three chapters in the template and depicts several USB drive insertions and removals on a handful of servers over the last 24 hours. To see a full report use the download example link.
- April 18th 2012, version 1, SecurityCenter 4.4
- Required Tools: Nessus and LCE
- Download Example - USB Device Auditing and Realtime Monitoring
- Download Template - USB Device Auditing and Realtime Monitoring
You may wish to modify the report and remove chapters not currently relevant to your deployed USM product set.
The “LCE Realtime USB Drive Monitoring – Last 24 Hours” chapter lists the USB drive insertions and removals for the last 24 hours as reported by the LCE Windows agents. You may wish to modify the time frame to the last 7 days or longer.
The “Nessus USB Drives Enumeration – Currently Attached” chapter summarizes and details the Nessus plugin results for 24274, “USB Drives Enumeration (WMI)”. The Nessus plugin lists any attached USB drives at the time of auditing the host.
The “Nessus USB Device Usage – History” chapter summarizes and details the Nessus plugin results for 35730, “Microsoft Windows USB Device Usage Report”. The Nessus plugin lists USB devices that have been attached to the host in the past. It is likely, especially in a desktop environment, this chapter will detail the most information.
Both chapters leveraging Nessus plugin results require Nessus credentialed scanning. Nessus plugin 35730 will report "first used" time stamps like those seen in the example report when the Nessus preference setting thorough tests is enabled:
It is highly likely after some research on the affect of thorough tests on internal enterprise wide Nessus scanning you will decide to build a dedicated customized SecurityCenter 4 scan policy for USB auditing when requiring detailed time stamp information.
It is worth noting that the USB events raised in LCE as a result of the recently installed LCE Windows agents reporting on the handful of servers in the example report triggered the more encompassing server_change event: