Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933640AbcDETih (ORCPT <rfc822;w@1wt.eu>);
	Tue, 5 Apr 2016 15:38:37 -0400
Received: from mx1.redhat.com ([209.132.183.28]:34023 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751248AbcDETif (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 5 Apr 2016 15:38:35 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Oliver Neukum <oneukum@suse.com>, Wade Mealing <wmealing@redhat.com>,
        linux-usb <linux-usb@vger.kernel.org>, linux-kernel@vger.kernel.org,
        bjorn@mork.no
Subject: Re: [RFC] Create an audit record of USB specific details
Date: Tue, 05 Apr 2016 15:38:34 -0400
Message-ID: <2074584.b2h7oKljRp@x2>
Organization: Red Hat
User-Agent: KMail/4.14.10 (Linux/4.4.6-300.fc23.x86_64; KDE/4.14.18; x86_64; ; )
In-Reply-To: <1459875768.2892.1.camel@suse.com>
References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <CALJHwhR5FQaa6v=ZPyLRZ8L+OrucXqEiwe6QE43HybM2keErYg@mail.gmail.com> <1459875768.2892.1.camel@suse.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1207
Lines: 25

On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > Consider the following scenario.  Currently we have device drivers
> > that emit text via a printk request which is eventually picked up by
> > syslog like implementation (not the audit subsystem).
> 
> We also have UEVENTs. The crucial question is why udevd feeding
> back events to the audit subsystem is inferior to the kernel
> itself generating audit events.

If this was going to be done in user space, then we are talking about auditd 
growing the ability to monitor another netlink socket for events. The question 
that decides if this is feasible is whether or not UEVENTS are protected from 
loss if several occur in a short time before auditd can get around to reading 
them.

The other issue that I'm curious about is if adding hardware can fail. Do the 
events coming out by UEVENTS have any sense of pass or fail? Or are they all 
implicitly successful?

And then we get to the issue of whether or not UEVENTS can be filtered. If so, 
then we will also need to add auditing around the configuration of the filters 
to see if anything is impacting the audit trail.

-Steve