From: Greg KH <gregkh@linuxfoundation.org>
To: "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
Cc: "Wade Mealing" <wmealing@redhat.com>,
"Bjørn Mork" <bjorn@mork.no>, "Oliver Neukum" <oneukum@suse.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-usb <linux-usb@vger.kernel.org>,
"linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: EXT :Re: [RFC] Create an audit record of USB specific details
Date: Tue, 5 Apr 2016 09:46:32 -0400 [thread overview]
Message-ID: <20160405134632.GC31313@kroah.com> (raw)
In-Reply-To: <889498a2eca043d5af1fe23ffb574284@XCGVAG30.northgrum.com>
On Tue, Apr 05, 2016 at 11:49:14AM +0000, Boyce, Kevin P (AS) wrote:
> Wade,
>
> Wouldn't this imply that every time the system is booted and the PCI
> bus for example is enumerated and all of the devices are created that
> all of those activities generate audit events?
> That sounds less than desiriable. Does this imply that the audit
> subsystem should maintain a "baseline" of hardware that is always
> present on the system?
If you do, what happens when your PCI devices renumber themselves the
next time you boot (hint, PCI numbering is not static.)
> Couldn't you audit a directory under /proc/usb?
There is no "/proc/usb/" :)
> Correct me if I am wrong, but doesn't audititing of the syscall mknod
> create an event when devices are "added" to the system?
The kernel calls mknod itself on devtmpfs, userspace doesn't do that
anymore (hasn't for a long time). Do you get those audit events today?
thanks,
greg k-h
next prev parent reply other threads:[~2016-04-05 13:46 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-04 4:02 [RFC] Create an audit record of USB specific details wmealing
[not found] ` <1459742562-22803-1-git-send-email-wmail-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-04-04 6:48 ` Oliver Neukum
2016-04-04 6:48 ` Oliver Neukum
[not found] ` <1459752519.24025.5.camel-IBi9RG/b67k@public.gmane.org>
2016-04-04 7:47 ` Bjørn Mork
2016-04-04 7:47 ` Bjørn Mork
[not found] ` <87bn5pzuh1.fsf-lbf33ChDnrE/G1V5fR+Y7Q@public.gmane.org>
2016-04-05 8:40 ` Wade Mealing
2016-04-05 8:40 ` Wade Mealing
2016-04-05 11:49 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 13:46 ` Greg KH [this message]
2016-04-05 13:52 ` Boyce, Kevin P (AS)
[not found] ` <6bdd24ee68e64e4e91fa160940d357ed-cZmdoFAsBjDgAiKnVY1dJgQSgKfZeEaX@public.gmane.org>
2016-04-05 15:35 ` Greg KH
2016-04-05 15:35 ` Greg KH
2016-04-05 14:40 ` Alan Stern
2016-04-05 22:17 ` Wade Mealing
2016-04-05 17:02 ` Oliver Neukum
[not found] ` <1459875768.2892.1.camel-IBi9RG/b67k@public.gmane.org>
2016-04-05 19:38 ` Steve Grubb
2016-04-05 19:38 ` Steve Grubb
2016-04-05 22:18 ` Greg KH
2016-04-04 12:56 ` Greg KH
2016-04-04 21:33 ` Steve Grubb
2016-04-04 21:48 ` Greg KH
[not found] ` <20160404214843.GA26580-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2016-04-04 21:53 ` Greg KH
2016-04-04 21:53 ` Greg KH
2016-04-05 13:07 ` Burn Alting
2016-04-05 13:44 ` Greg KH
2016-04-05 14:08 ` Burn Alting
2016-04-05 14:08 ` Burn Alting
2016-04-05 14:20 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 14:20 ` Boyce, Kevin P (AS)
[not found] ` <9dd2354558314ead819366b954e97133-cZmdoFAsBjDgAiKnVY1dJgQSgKfZeEaX@public.gmane.org>
2016-04-05 14:37 ` Burn Alting
2016-04-05 14:37 ` Burn Alting
[not found] ` <1459867036.7998.112.camel-krJecHFEUit3UMzaYwuTPmD2FQJk+8+b@public.gmane.org>
2016-04-05 14:42 ` Boyce, Kevin P (AS)
2016-04-05 14:42 ` Boyce, Kevin P (AS)
[not found] ` <ffef94ad8d7a4770a4a192488a5be1c3-cZmdoFAsBjDgAiKnVY1dJgQSgKfZeEaX@public.gmane.org>
2016-04-05 22:39 ` Burn Alting
2016-04-05 22:39 ` Burn Alting
2016-04-04 21:37 ` Paul Moore
2016-04-04 21:50 ` Greg KH
2016-04-05 2:54 ` Paul Moore
2016-04-05 2:54 ` Paul Moore
2016-04-05 3:39 ` Greg KH
[not found] ` <20160405033905.GA14854-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2016-04-05 14:50 ` Paul Moore
2016-04-05 14:50 ` Paul Moore
2016-04-04 21:37 ` Steve Grubb
2016-04-04 21:54 ` Greg KH
2016-04-05 1:51 ` Wade Mealing
2016-04-05 1:54 ` Wade Mealing
2016-04-05 1:54 ` Wade Mealing
[not found] ` <CALJHwhSaimur4w_WqjNOV6dawuDTvqQ5KGM52741Hq=DYMHaAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-04-05 2:43 ` Greg KH
2016-04-05 2:43 ` Greg KH
2016-04-05 2:47 ` Greg KH
2016-04-05 2:47 ` Greg KH
2016-04-04 22:10 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160405134632.GC31313@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=Kevin.Boyce@ngc.com \
--cc=bjorn@mork.no \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=oneukum@suse.com \
--cc=wmealing@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.