Back to Resources

Level Verified

Linux Monitor - USB Drive Script

Created by

Level

Type

Script

Category

Security

Platforms
WindowsApple iOSLinux
Import into Level
Copy link

Problem Overview

Unauthorized or unaccounted-for USB drives can pose significant security threats, from data theft to malware injection. Monitoring for USB drive insertions is essential for organizations that want to safeguard their systems and maintain compliance with data protection policies.

Description

This script quickly checks whether any USB storage devices are currently connected to the system. If it detects a USB drive, it returns a simple "ALERT" message, which you can capture with a script-based monitor in Level to trigger a real-time notification and log the event.

You can also build an Automation in Level with a schedule trigger to regularly check for USB drives and act on any findings—this can include disabling the port or generating a security ticket for further investigation.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-linux-monitor-usb-drive
10
11# Look for USB Drives
12USBDrivePresent=$(lsblk -o NAME,TRAN | grep "usb" | awk '{print $1}')
13
14if [ -n "$USBDrivePresent" ]; then
15    # If USB drive is present, send console message for Level to alert on
16    echo "ALERT"
17fi

Use Cases

  • Monitoring secure environments for unauthorized USB attachments
  • Enforcing data protection policies in regulated industries
  • Logging removable media usage on remote or distributed workstations
  • Real-time alerting of potential data exfiltration attempts

Recommendations

  • Test the script in a safe environment before deploying widely
  • Use a script-based monitor in Level to instantly detect drive insertions
  • Consider scheduling automated checks via Level’s Automation features
  • Verify that lsblk is available and functioning correctly on your Linux distribution
  • Plan immediate or follow-up actions for any alerts—lockdown, logging, or user notifications

FAQ

  • How do I integrate this script with Level?
    Import the script as a resource in Level, then configure a script-based monitor or scheduled Automation to run it.
  • Does this script prevent USB use?
    No. It merely detects USB devices and triggers an alert; restricting usage requires additional configurations.
  • What permissions are needed?
    It runs with System or Root privileges under Level, so it can accurately detect connected drives.
  • Will it detect other removable media types?
    This script specifically checks for USB transport. You may need to modify it to detect other device types.
  • Are there any performance impacts?
    The script is lightweight and does a quick check, so there should be minimal performance overhead even if run frequently.

Included with this Script:

Below is a list of what you can expect to find when importing this Script.

Script details:

The following data and settings will be imported with your script.

Script Name

Linux Monitor - USB Drive

Description

This script checks for the presence of USB drives on a Linux system by scanning for devices identified as USB. If any USB drive is detected, it outputs an "ALERT" message, designed for integration with monitoring systems to notify administrators of potential unauthorized device connections.

Language

Bash

Timeout (In Seconds)

100

Run As

Local system

Import into Level

Related resources

Explore more automations, scripts, and policies to further enhance your IT operations.

View all resources

Start automating thousands of your devices with Level

Start your 14-day free trial today.

Book a demoGet started for free

© 2025 Level Software, Inc.