Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756370AbcDDVdO (ORCPT <rfc822;w@1wt.eu>);
	Mon, 4 Apr 2016 17:33:14 -0400
Received: from mx1.redhat.com ([209.132.183.28]:40190 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751587AbcDDVdN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Mon, 4 Apr 2016 17:33:13 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Greg KH <gregkh@linuxfoundation.org>, wmealing <wmealing@redhat.com>,
        linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details
Date: Mon, 04 Apr 2016 17:33:10 -0400
Message-ID: <8028201.ZHuhRfiKWv@x2>
Organization: Red Hat
User-Agent: KMail/4.14.10 (Linux/4.4.6-300.fc23.x86_64; KDE/4.14.18; x86_64; ; )
In-Reply-To: <20160404125626.GB6197@kroah.com>
References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <20160404125626.GB6197@kroah.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1631
Lines: 35

On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing <wmealing@redhat.com>
> > 
> > Gday,
> > 
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> 
> Then please do it in userspace, as I suggested before, that way you
> catch all types of devices, not just USB ones.
> 
> Also I don't think you realize that USB interfaces are what are bound to
> drivers, not USB devices, so that is going to mess with any attempted
> audit trails here.  How are you going to distinguish between the 5
> different devices that just got plugged in that all have 0000/0000 as
> vid/pid for them because they are "cheap" devices from China, yet do
> totally different things because they are different _types_ of devices?

This sounds like vid/pid should be captured in the event.

 
> Again, do this in userspace please, that is where it belongs.

There is one issue that may need some clarification. The audit system has to do 
everything possible to make sure that an event is captured and logged. Does 
the uevent netlink protocol ever drop events because the user space queue is 
full? If the uevent interface drops events, then its not audit quality in 
terms of doing everything possible to prevent the loss of a record. If this 
were to happen, how would user space find out when a uevent gets dropped? I may 
have to panic the machine if that happens depending on the configured policy. 
So, we need to know when it happens. If on the otherhand it doesn't ever drop 
events, then it might be usable.

-Steve