Monday, June 5, 2017

Monitor USB Devices: USB Canary

12:37 PM Leave a Reply
Monitor USB Devices: USB Canary

Monitor USB Devices for potential security breach

      USB Canary is a Linux tool that uses pyudev to monitor devices while your computer is locked. In case it detects someone plugging in or unplugging devices it can be configured to send you an SMS or alert you via Slack of the potential security breach.





Prerequisites

slackclient – A basic client for Slack.com, which can optionally connect to the Slack Real Time Messaging (RTM) API.
twilio – A Python module for communicating with the Twilio API and generating TwiML
pyudev – Python bindings to libudev (with support for PyQt4, PySide, pygobject and wx)
sander-daemon – Jejik daemon class improved by Server Density
These can all be installed via pip, in some cases you may need to use pip with sudo. You can install the packages as follows:

pip install slackclient
pip install twilio
pip install pyudev
pip install sander-daemon
Otherwise you can just run pip install -r requirements.txt

You will also need to install the pip apt library through apt (which doesn’t get confusing fast) this can be done as follows:

sudo apt install python-apt
This library provides access to almost every functionality supported by the underlying apt-pkg and apt-inst libraries. In Debian Jessie it may come with the install but just double check to make sure it’s there.



Installing

Before running USB Canary, you will need to configure your settings.json file, which should be located in the root directory. If it is not found here, you will encounter an IOError.

An example settings.json file:

{
  "settings": {
    "slack": {
      "api_key": "xoxb-111111111111-abcdefghijklmnopqrstuvwx",
      "botname": "slack bot name"
    },
    "twilio": {
      "auth_token": "l7cy56u3Nys72vPNRS8TAbaW3X1Ap4ma",
      "account_sid": "wP32p6qFNzJ25FD1IKM0YtX629eoHbrMiV",
      "twilio_number": "+61491570156",
      "mobile_number": "+61491570157"
    },
    "general": {
      "paranoid": true,
      "screensaver": "xscreensaver",
      "slack": false,
      "twilio": true
    }
  }
}
Note that paranoid, slack, and twilio are boolean values and should be set to true or false. If the file is formatted incorrectly and it cannot be parsed, you will get a ValueError, you can use JSONLint if you find yourself having issues with this.

USB Canary, is sort of smart and can ‘detect’ if you are running XScreenSaver or gnome-screensaver on your computer, this is done by just checking which packages are installed via the apt library, if both of them are installed though, it will leave you to determine which one you are using – if you have an unsupported screensaver, don’t fret, you can still run it in paranoid mode.

Paranoid mode is also suitable for people who want to monitor if their servers have had USB’s plugged into them, although I haven’t tested them on Linode, Amazon Web Services, or Digital Ocean it is suitable for those with physical servers that may need this sort of monitoring.

To start the application:

./usb_canary.py start | stop | restart

Download