From: Greg KH <greg@kroah.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, wmealing <wmealing@redhat.com>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details
Date: Mon, 4 Apr 2016 14:54:22 -0700 [thread overview]
Message-ID: <20160404215422.GA26969@kroah.com> (raw)
In-Reply-To: <4430946.BXbQgWNMDe@x2>
On Mon, Apr 04, 2016 at 05:37:01PM -0400, Steve Grubb wrote:
> On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> >
> > The audit subsystem is a logging subsystem in kernel space that can be
> > used to create advanced filters on generated events. It has partnered
> > userspace utilities ausearch, auditd, aureport, auditctl which work
> > exclusively on audit records.
> >
> > These tools are able to set filters to "trigger" on specific in-kernel
> > events specified by privileged users. While the userspace tools can create
> > audit events these are not able to be handled intelligently
> > (decoded,filtered or ignored) as kernel generated audit events are.
> >
> > I have this working at the moment with the USB subsystem (as an example).
> > Its been suggested that I use systemd-udev however this means that the audit
> > tools (ausearch) will not be able to index these records.
> >
> > Here is an example of picking out the AUDIT_DEVICE record type for example.
> >
> > > # ausearch -l -i -ts today -m AUDIT_DEVICE
> > > ----
> > > type=AUDIT_DEVICE msg=audit(31/03/16 16:37:15.642:2) : action=add
> > > manufacturer=Linux 4.4.0-ktest ehci_hcd product=EHCI Host Controller
> > > serial=0000:00:06.7 major=189 minor=0 bus="usb"
>
> About this event's format...we can't have any spaces in the value side of the
> name=value fields unless its encoded as an untrusted string. You can replace
> spaces with an underscore or dash for readability. So, manufacturer and
> product would need this treatment.
What is the character encoding that audit messages can accept? Does it
match up with the character encoding that USB strings are in?
thanks,
greg k-h
next prev parent reply other threads:[~2016-04-04 21:54 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-04 4:02 [RFC] Create an audit record of USB specific details wmealing
[not found] ` <1459742562-22803-1-git-send-email-wmail-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-04-04 6:48 ` Oliver Neukum
2016-04-04 6:48 ` Oliver Neukum
[not found] ` <1459752519.24025.5.camel-IBi9RG/b67k@public.gmane.org>
2016-04-04 7:47 ` Bjørn Mork
2016-04-04 7:47 ` Bjørn Mork
[not found] ` <87bn5pzuh1.fsf-lbf33ChDnrE/G1V5fR+Y7Q@public.gmane.org>
2016-04-05 8:40 ` Wade Mealing
2016-04-05 8:40 ` Wade Mealing
2016-04-05 11:49 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 13:46 ` Greg KH
2016-04-05 13:52 ` Boyce, Kevin P (AS)
[not found] ` <6bdd24ee68e64e4e91fa160940d357ed-cZmdoFAsBjDgAiKnVY1dJgQSgKfZeEaX@public.gmane.org>
2016-04-05 15:35 ` Greg KH
2016-04-05 15:35 ` Greg KH
2016-04-05 14:40 ` Alan Stern
2016-04-05 22:17 ` Wade Mealing
2016-04-05 17:02 ` Oliver Neukum
[not found] ` <1459875768.2892.1.camel-IBi9RG/b67k@public.gmane.org>
2016-04-05 19:38 ` Steve Grubb
2016-04-05 19:38 ` Steve Grubb
2016-04-05 22:18 ` Greg KH
2016-04-04 12:56 ` Greg KH
2016-04-04 21:33 ` Steve Grubb
2016-04-04 21:48 ` Greg KH
[not found] ` <20160404214843.GA26580-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2016-04-04 21:53 ` Greg KH
2016-04-04 21:53 ` Greg KH
2016-04-05 13:07 ` Burn Alting
2016-04-05 13:44 ` Greg KH
2016-04-05 14:08 ` Burn Alting
2016-04-05 14:08 ` Burn Alting
2016-04-05 14:20 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 14:20 ` Boyce, Kevin P (AS)
[not found] ` <9dd2354558314ead819366b954e97133-cZmdoFAsBjDgAiKnVY1dJgQSgKfZeEaX@public.gmane.org>
2016-04-05 14:37 ` Burn Alting
2016-04-05 14:37 ` Burn Alting
[not found] ` <1459867036.7998.112.camel-krJecHFEUit3UMzaYwuTPmD2FQJk+8+b@public.gmane.org>
2016-04-05 14:42 ` Boyce, Kevin P (AS)
2016-04-05 14:42 ` Boyce, Kevin P (AS)
[not found] ` <ffef94ad8d7a4770a4a192488a5be1c3-cZmdoFAsBjDgAiKnVY1dJgQSgKfZeEaX@public.gmane.org>
2016-04-05 22:39 ` Burn Alting
2016-04-05 22:39 ` Burn Alting
2016-04-04 21:37 ` Paul Moore
2016-04-04 21:50 ` Greg KH
2016-04-05 2:54 ` Paul Moore
2016-04-05 2:54 ` Paul Moore
2016-04-05 3:39 ` Greg KH
[not found] ` <20160405033905.GA14854-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2016-04-05 14:50 ` Paul Moore
2016-04-05 14:50 ` Paul Moore
2016-04-04 21:37 ` Steve Grubb
2016-04-04 21:54 ` Greg KH [this message]
2016-04-05 1:51 ` Wade Mealing
2016-04-05 1:54 ` Wade Mealing
2016-04-05 1:54 ` Wade Mealing
[not found] ` <CALJHwhSaimur4w_WqjNOV6dawuDTvqQ5KGM52741Hq=DYMHaAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-05 2:43 ` Greg KH
2016-04-05 2:43 ` Greg KH
2016-04-05 2:47 ` Greg KH
2016-04-05 2:47 ` Greg KH
2016-04-04 22:10 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160404215422.GA26969@kroah.com \
--to=greg@kroah.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=sgrubb@redhat.com \
--cc=wmealing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.