Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933640AbcDETih (ORCPT ); Tue, 5 Apr 2016 15:38:37 -0400 Received: from mx1.redhat.com ([209.132.183.28]:34023 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751248AbcDETif (ORCPT ); Tue, 5 Apr 2016 15:38:35 -0400 From: Steve Grubb To: linux-audit@redhat.com Cc: Oliver Neukum , Wade Mealing , linux-usb , linux-kernel@vger.kernel.org, bjorn@mork.no Subject: Re: [RFC] Create an audit record of USB specific details Date: Tue, 05 Apr 2016 15:38:34 -0400 Message-ID: <2074584.b2h7oKljRp@x2> Organization: Red Hat User-Agent: KMail/4.14.10 (Linux/4.4.6-300.fc23.x86_64; KDE/4.14.18; x86_64; ; ) In-Reply-To: <1459875768.2892.1.camel@suse.com> References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <1459875768.2892.1.camel@suse.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1207 Lines: 25 On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote: > On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote: > > Consider the following scenario. Currently we have device drivers > > that emit text via a printk request which is eventually picked up by > > syslog like implementation (not the audit subsystem). > > We also have UEVENTs. The crucial question is why udevd feeding > back events to the audit subsystem is inferior to the kernel > itself generating audit events. If this was going to be done in user space, then we are talking about auditd growing the ability to monitor another netlink socket for events. The question that decides if this is feasible is whether or not UEVENTS are protected from loss if several occur in a short time before auditd can get around to reading them. The other issue that I'm curious about is if adding hardware can fail. Do the events coming out by UEVENTS have any sense of pass or fail? Or are they all implicitly successful? And then we get to the issue of whether or not UEVENTS can be filtered. If so, then we will also need to add auditing around the configuration of the filters to see if anything is impacting the audit trail. -Steve