Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757951AbcDEOni (ORCPT ); Tue, 5 Apr 2016 10:43:38 -0400 Received: from xspv0103.northgrum.com ([134.223.120.78]:50040 "EHLO xspv0103.northgrum.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752492AbcDEOng (ORCPT ); Tue, 5 Apr 2016 10:43:36 -0400 From: "Boyce, Kevin P (AS)" To: "burn@swtf.dyndns.org" CC: Greg KH , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-audit@redhat.com" Subject: RE: EXT :Re: [RFC] Create an audit record of USB specific details Thread-Topic: EXT :Re: [RFC] Create an audit record of USB specific details Thread-Index: AQHRj0UHR5KtxucL2EqBwlDF+yT70J97bNJAgABZwgD//6yKAA== Date: Tue, 5 Apr 2016 14:42:11 +0000 Message-ID: References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <20160404125626.GB6197@kroah.com> <8028201.ZHuhRfiKWv@x2> <20160404214843.GA26580@kroah.com> <20160404215302.GC26580@kroah.com> <1459861668.7998.92.camel@swtf.swtf.dyndns.org> <20160405134427.GB31313@kroah.com> <1459865304.7998.102.camel@swtf.swtf.dyndns.org> <9dd2354558314ead819366b954e97133@XCGVAG30.northgrum.com> <1459867036.7998.112.camel@swtf.swtf.dyndns.org> In-Reply-To: <1459867036.7998.112.camel@swtf.swtf.dyndns.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [134.223.82.114] Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id u35EhilD028022 Content-Length: 793 Lines: 8 Burn, > Hence my final comment below about well known devices and the desire monitor open/openat/etc for write system calls on 'deemed removable media' ie one day we could set up auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable -k RMopen And even when you try to figure this out for a CD it is next to impossible to know what is written. If I remember correctly when running strace on wodim you don't ever see the write() calls on the filenames. And instead, what if someone creates an iso image and burns that to a DVD. You really have no way of knowing what is on that disc. When the burn process is complete, the disc usually gets ejected, so the audit subsystem would never even get a chance to evaluate the filesystem that was written to optical media. Kevin