From: Greg KH <gregkh@linuxfoundation.org>
To: Burn Alting <burn@swtf.dyndns.org>
Cc: Steve Grubb <sgrubb@redhat.com>,
linux-audit@redhat.com, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details
Date: Tue, 5 Apr 2016 09:44:27 -0400 [thread overview]
Message-ID: <20160405134427.GB31313@kroah.com> (raw)
In-Reply-To: <1459861668.7998.92.camel@swtf.swtf.dyndns.org>
On Tue, Apr 05, 2016 at 11:07:48PM +1000, Burn Alting wrote:
> On Mon, 2016-04-04 at 14:53 -0700, Greg KH wrote:
> > On Mon, Apr 04, 2016 at 02:48:43PM -0700, Greg KH wrote:
> > > On Mon, Apr 04, 2016 at 05:33:10PM -0400, Steve Grubb wrote:
> > > > On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > > > > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > > > > > From: Wade Mealing <wmealing@redhat.com>
> > > > > >
> > > > > > Gday,
> > > > > >
> > > > > > I'm looking to create an audit trail for when devices are added or removed
> > > > > > from the system.
> > > > >
> > > > > Then please do it in userspace, as I suggested before, that way you
> > > > > catch all types of devices, not just USB ones.
> > > > >
> > > > > Also I don't think you realize that USB interfaces are what are bound to
> > > > > drivers, not USB devices, so that is going to mess with any attempted
> > > > > audit trails here. How are you going to distinguish between the 5
> > > > > different devices that just got plugged in that all have 0000/0000 as
> > > > > vid/pid for them because they are "cheap" devices from China, yet do
> > > > > totally different things because they are different _types_ of devices?
> > > >
> > > > This sounds like vid/pid should be captured in the event.
> > >
> > > The code did that, the point is, vid/pid means nothing in the real
> > > world. So why are you going to audit anything based on it? :)
> >
> > Oh wait, it's worse, it is logging strings, which are even more
> > unreliable than vid/pid values. It's pretty obvious this has not been
> > tested on any large batch of real-world devices, or thought through as
> > to why any of this is even needed at all.
> >
> > So why is this being added? Who needs/wants this? What are their
> > requirements here?
>
> As a consumer of auditd events for security purposes, the questions I
> would like answered via the sort of audit framework Wade is putting
> together are
>
> - when was a (possible) removable media device plugged into a system and
> what were the device details - perhaps my corporation has a policy on
> what devices are 'official' and hence one looks for alternatives,
> and/or,
How do you determine if a USB device is "official" or not? What
attribute(s) are you going to care about that can't be trivially
spoofed?
> - was it there at boot ? (in case someone adds and removes such devices
> when powered off), and eventually
What if you booted off of it?
> - has an open for write (or other system calls) occurred on designated
> removable media? (i.e. what may have been written to removable media -
> cooked or raw) - Yes, this infers a baseline of what's connected or an
> efficient means of working out if a device is 'removable' at system call
> time.
Yes, determining "removable" is non-trivial, good luck with that :)
thanks,
greg k-h
next prev parent reply other threads:[~2016-04-05 13:44 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-04 4:02 [RFC] Create an audit record of USB specific details wmealing
2016-04-04 6:48 ` Oliver Neukum
2016-04-04 7:47 ` Bjørn Mork
2016-04-05 8:40 ` Wade Mealing
2016-04-05 11:49 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 13:46 ` Greg KH
2016-04-05 13:52 ` Boyce, Kevin P (AS)
2016-04-05 15:35 ` Greg KH
2016-04-05 14:40 ` Alan Stern
2016-04-05 22:17 ` Wade Mealing
2016-04-05 17:02 ` Oliver Neukum
2016-04-05 19:38 ` Steve Grubb
2016-04-05 22:18 ` Greg KH
2016-04-04 12:56 ` Greg KH
2016-04-04 21:33 ` Steve Grubb
2016-04-04 21:48 ` Greg KH
2016-04-04 21:53 ` Greg KH
2016-04-05 13:07 ` Burn Alting
2016-04-05 13:44 ` Greg KH [this message]
2016-04-05 14:08 ` Burn Alting
2016-04-05 14:20 ` EXT :Re: " Boyce, Kevin P (AS)
2016-04-05 14:37 ` Burn Alting
2016-04-05 14:42 ` Boyce, Kevin P (AS)
2016-04-05 22:39 ` Burn Alting
2016-04-04 21:37 ` Paul Moore
2016-04-04 21:50 ` Greg KH
2016-04-05 2:54 ` Paul Moore
2016-04-05 3:39 ` Greg KH
2016-04-05 14:50 ` Paul Moore
2016-04-04 21:37 ` Steve Grubb
2016-04-04 21:54 ` Greg KH
[not found] ` <CALJHwhR-SA7K=fD=DUXE7EFq+4gWKPaY+B5z6jdCj7180wg_vg@mail.gmail.com>
2016-04-05 1:54 ` Wade Mealing
2016-04-05 2:43 ` Greg KH
2016-04-05 2:47 ` Greg KH
2016-04-04 22:10 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160405134427.GB31313@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox