Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755400AbcDDM43 (ORCPT <rfc822;w@1wt.eu>);
	Mon, 4 Apr 2016 08:56:29 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:38916 "EHLO
	mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752590AbcDDM42 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 4 Apr 2016 08:56:28 -0400
Date: Mon, 4 Apr 2016 05:56:26 -0700
From: Greg KH <gregkh@linuxfoundation.org>
To: wmealing <wmealing@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
        linux-usb@vger.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details
Message-ID: <20160404125626.GB6197@kroah.com>
References: <1459742562-22803-1-git-send-email-wmail@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1459742562-22803-1-git-send-email-wmail@redhat.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 822
Lines: 21

On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> From: Wade Mealing <wmealing@redhat.com>
> 
> Gday,
> 
> I'm looking to create an audit trail for when devices are added or removed
> from the system.

Then please do it in userspace, as I suggested before, that way you
catch all types of devices, not just USB ones.

Also I don't think you realize that USB interfaces are what are bound to
drivers, not USB devices, so that is going to mess with any attempted
audit trails here.  How are you going to distinguish between the 5
different devices that just got plugged in that all have 0000/0000 as
vid/pid for them because they are "cheap" devices from China, yet do
totally different things because they are different _types_ of devices?

Again, do this in userspace please, that is where it belongs.

greg k-h