USB mass storage logs
 

Hello everyone,

I really appreciate if someone quickly respond my question.

Well I am using RHEL v6.3 on my laptop & I want to clear all USB device(Mass storage/Modem/Flash Drive etc.) History from OS which I used in past or in current.

I tried to delete all logs from "/var/log" specially messages* but if I run below 2 command I am getting usb results which I connected to my laptop even after deleting /var/log.

sudo awk '/usb/ && (/Manufacturer/ || /Product/ ||/Serial/) && !/usb usb/ && !/New USB/' /var/log/messages*

sudo awk '/usb/ && /Product/ && !/usb usb/ && !/New USB/' /var/log/messages* |cut -f 8-12 -d ' ' |sort |uniq

Please help.

Help with WHAT? Unless you turn off ALL system logging, the log files will continue to be filled with system events. And if you want a quick answer, call Red Hat support...you're paying for it, since you're using Red Hat Enterprise, right??

Thanks for your kind reply.
I am using office Red hat version which is not paid by me and I cant ask them for the same coz its not authorized. How can I turn off a particular system logging if you then pls reply. I agreed logs will be filled but just cleaned the logs and did not plugin any usb device then how come its still showing some old logs, I think there is any other location where logs are also being captured.

Then you should NOT be using it. RHEL is a commercial, PAY FOR distribution. If you're not going to pay, then you should load CentOS, which is nearly identical, but free.
Spell out your words. If you want to turn off system logging, run "/etc/init.d/syslogd stop". Bear in mind, though, that unless you disable a LOT of system services (like automatic hardware discovery, etc.), then some things are going to run and tell you about what they do.

......

OK !
pls tell me about above mentioned 2 commands, how these commands are getting logs even after cleaning logs from messages log file, is there any other location for logs? how can i completely clean my usb logs from RHEL so that no one can track me abut what usb devices I have used in my RHEL.

Again, you need to spell out your words. And again, unless you TOTALLY DISABLE LOGGING, things will be written to the log files. So deleting log files makes no difference at all. You need to be root to delete system logs, or disable system logging, and again, will have to disable hardware discovery, and other automatic services too. It is not a trivial thing.

And your question is a bit suspicious...if you are an administrator, you have root access, and can delete files and disable services...there's no need for you to hide what you've plugged in. If you're not, why are you asking about this?

You are not getting my point dear.
I am admin of my RHEL but there is a audit, which is coming soon @ my office, thats why I want to clear all logs. disabling all logging is not a good thought.

Try above 2 commands in your linux just after cleaning all logs, it will show you some logs which indicating that you have used usb devices in your linux.

My only & only question is from where these commands are getting these logs & how? can I delete these logs which is generated by above commands ?

Yes, I am...you are not understanding the answers.
Right...and saying this makes what you're asking even MORE suspicious. Why would you want/need to delete your logs if you're getting audited??? And you say in your first post that this is on your laptop...why would your personal laptop be audited?

I gave you the command above to stop your system logging. I told you that you'd have to disable hardware discovery too. Logs are typically in /var/log, but since you're an admin, you know that some services (like apache), can keep their logs in a separate sub-directory.
Right...and I will AGAIN tell you that they're coming from the system log daemon, which (unless you stop), will CONTINUE TO WRITE TO THE SYSTEM LOGS. You also could have logrotate running, which will create BACKUP log files. Unless you delete all of them, the simple search you ran will look at all the OLD message files too. As the admin, do you have logrotate running???

1. What are these separate sub-directories and where ?
2. System log daemon: ok with it but what if I delete all logs from /var/logs then it should show clear report, right?
3. what is loratate and where it keeps backup files ?
4. Is there any tool which can clear all logs (hidden or backed up)?

I gave you one above. Again, they COULD be in separate sub-directories...as an admin, you should know that you can configure services to log pretty much wherever you want. I suggest you look in the /var/log directory, and see the sub-directories in there.
AGAIN, no. It MAY, but may not, since you would also have to disable hardware discovery daemons, etc.
Logrotate is a program that will keep backups of log files. Where it keeps these files depends on how you set it up. As an admin, you should know if this is running or not, and how you configured it.
No. Real admins rarely do this, since you WANT log files. I will again point out that this is VERY suspicious behavior....deleting log files before an audit?? And again, why would an auditor be looking at your personal laptop?

Actualy USB mass storage is not permitted in my company and this is not my personal laptop hence I want to clear all the logs so if can pls help me then i will really appreciate it.

Still i have not received any relevant ans from you. our conversation is like round n round from the cor.

Right, because you ARE NOT UNDERSTANDING THE ANSWER. Pay attention, I will AGAIN tell you the answers:

• Your logs are typically in /var/log.
• Since you're a systems administrator, you should already know that the config file for syslog is typically in /etc/syslog-ng.conf.
• Different services can be in subdirectories underneath that, but can conceivably be ANYWHERE on the system. AGAIN, look in /var/log, and you will SEE the many sub-directories in there.
• If you're using logrotate, you can have MANY old log files. AGAIN, depending on where YOU set up logrotate to put them, they can be ANYWHERE.
• You need to be admin/root to delete log files and any backup log files.
• Unless you STOP system logging and hardware auto-discovery, you WILL GET MORE MESSAGES IN YOUR LOGS. Again, I told you before how to stop system logging.

Go look in /var/log, and delete whatever files you like. Run a "grep -H" on that directory to identify anything with USB in it, and delete it.

And again, you need to spell out your words. If this is your company's laptop and you're violating your company policies, it isn't a bad thing if you get caught. If you're a system administrator, you should already know how to stop system logging, where to look for log files, and (most importantly), how to adhere to company data security policies.

This is definitely against best practices, and almost certainly against
your employment agreement. Closed.