Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757951AbcDEOni (ORCPT <rfc822;w@1wt.eu>);
	Tue, 5 Apr 2016 10:43:38 -0400
Received: from xspv0103.northgrum.com ([134.223.120.78]:50040 "EHLO
	xspv0103.northgrum.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752492AbcDEOng (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 5 Apr 2016 10:43:36 -0400
From: "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
To: "burn@swtf.dyndns.org" <burn@swtf.dyndns.org>
CC: Greg KH <gregkh@linuxfoundation.org>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: RE: EXT :Re: [RFC] Create an audit record of USB specific details
Thread-Topic: EXT :Re: [RFC] Create an audit record of USB specific details
Thread-Index: AQHRj0UHR5KtxucL2EqBwlDF+yT70J97bNJAgABZwgD//6yKAA==
Date: Tue, 5 Apr 2016 14:42:11 +0000
Message-ID: <ffef94ad8d7a4770a4a192488a5be1c3@XCGVAG30.northgrum.com>
References: <1459742562-22803-1-git-send-email-wmail@redhat.com>
	 <20160404125626.GB6197@kroah.com> <8028201.ZHuhRfiKWv@x2>
	 <20160404214843.GA26580@kroah.com> <20160404215302.GC26580@kroah.com>
	 <1459861668.7998.92.camel@swtf.swtf.dyndns.org>
	 <20160405134427.GB31313@kroah.com>
	 <1459865304.7998.102.camel@swtf.swtf.dyndns.org>
	 <9dd2354558314ead819366b954e97133@XCGVAG30.northgrum.com>
 <1459867036.7998.112.camel@swtf.swtf.dyndns.org>
In-Reply-To: <1459867036.7998.112.camel@swtf.swtf.dyndns.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [134.223.82.114]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id u35EhilD028022
Content-Length: 793
Lines: 8

Burn,

> Hence my final comment below about well known devices and the desire monitor open/openat/etc for write system calls on 'deemed removable media' ie one day we could set up
  auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable -k RMopen

And even when you try to figure this out for a CD it is next to impossible to know what is written.  If I remember correctly when running strace on wodim you don't ever see the write() calls on the filenames.  And instead, what if someone creates an iso image and burns that to a DVD.  You really have no way of knowing what is on that disc.  When the burn process is complete, the disc usually gets ejected, so the audit subsystem would never even get a chance to evaluate the filesystem that was written to optical media.

Kevin