Hi there!

At work, I have a laptop and desktop with Linux. Lately, I have noticed people going in and out that behave very oddly. I suspect that they check out our computers with USB sticks, copying the hard drive or at least some documents and then leaving no trace. There are some sensitive documents there that should not get into the hands of third parties.

Is there a way that I can see if a USB stick has been insterted in Linux at a certain time (a log?), so that I can check whether someone has been at my PC at times I was having a lunch? Or is there even a way to block USB sticks other than my own from accessing my documents (password-protected parhaps)?

Let's see...........

First, I would make darn sure I locked the machine before I left the desk.

You didn't say which desktop you are using, but at a minimum you could log out of your account before leaving the computer alone.

You should be able to see if someone inserted a USB stick in the system log. It's usually in: /var/log. The filename might vary depending on the distro, but the main log name is usually /var/log/messages. (I'm not on my Linux box at the moment, so I can't check.) A good way to check the log is to insert your own stick, then have a look in the log. Mine shows the make and serial serial number of the USB stick.

Now that I think about it, turning off the automount feature might be an option, too. Then you'd have to mount/umount manually, but someone who didn't know Linux would not realize that.

Hope this helps.

Or, on top of the turned off automount, mounting USBs could be made to require the user's password.

I have SuSE Linux 10.1 with KDE 3."SOMETHING"

Most people at work know more about Linux that I do, so I think the mount trick would not work very long.

How would I do that?

USB pen drives on Linux isn't trivial, unfortunately (or, in your case, fortunately). It has been my experience on a couple of different distros that these drives are not universally mounted. I actually had to create a proper udev rule so that my own pen drives automount. Usually, when I insert a "foreign" pen drive (one belonging to someone else) I have to manually mount it, unless it happens to be a brand that is properly identified by my udev rule. (note to readers: a planned project of mine is to get lots of people with lots of different pen drives to read out their identification info so that I can make my udev rule comprehensive, then publish it...)

In any event, it could very well be that if someone is sticking a pen drive into your USB port they can't read off your data without first becoming root and mounting the pen drive.

Should it happen that the pen drive is automounting, you can stop this by identifying the proper udev rule and removing it. This will prevent anyone who can't become root on your system from using a pendrive to remove data from it.

If they can become root then one of two conditions applies: your security is compromised and you need to change the root password or they own the 'puter and have the right to become root. If the latter condition, they may also have the right to extract data from the system.

If the person has no password to the machine, then how would they be moving data to a USB stick? (Or am I missing something?)

Be aware that anyone with physical access to the hardware can boot from live CD and disable the password. Real security means locking the office, or locking the computer in a cabinet.

I agreed. A security environment for high sensitive informations and data must begin with physical access control and protection against incidentally or consequential damages (like fires, earthquakes, floods and so on).

<IMHO> high sensitive data must do not be stored on unprotected computers (a password is not a protection against someone who really want to steal sensitive data from a laptop or a desktop). I mean the high sensitive data must be stored on dedicated data servers. No optical media writers, no USB ports, no memory card readers.

"Security is NOT installing a firewall" and more good advices here.

I believe that the scenario here has OP getting up from his desk, walking down the hall to get a coffee or whatever, then coming back after a few minutes. He isn't logging off while away from the machine.

Have you tried just locking the screen with xscreensaver? It renders the machine unusable until you return and unlock it with your password. It can also be set lock the machine as soon as the screensaver comes on, so if you forget, within a minute or two, it'll automatically lock.