Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964826AbcDEWSK (ORCPT ); Tue, 5 Apr 2016 18:18:10 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:37170 "EHLO out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933837AbcDEWSH (ORCPT ); Tue, 5 Apr 2016 18:18:07 -0400 X-Sasl-enc: LT2q6H5wTMKy2tddnuIbD/yEL4u7W4dLvbnxSdWSaEEr 1459894685 Date: Tue, 5 Apr 2016 18:18:05 -0400 From: Greg KH To: Steve Grubb Cc: linux-audit@redhat.com, Oliver Neukum , Wade Mealing , linux-usb , linux-kernel@vger.kernel.org, bjorn@mork.no Subject: Re: [RFC] Create an audit record of USB specific details Message-ID: <20160405221805.GB11038@kroah.com> References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <1459875768.2892.1.camel@suse.com> <2074584.b2h7oKljRp@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2074584.b2h7oKljRp@x2> User-Agent: Mutt/1.6.0 (2016-04-01) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1667 Lines: 39 On Tue, Apr 05, 2016 at 03:38:34PM -0400, Steve Grubb wrote: > On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote: > > On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote: > > > Consider the following scenario. Currently we have device drivers > > > that emit text via a printk request which is eventually picked up by > > > syslog like implementation (not the audit subsystem). > > > > We also have UEVENTs. The crucial question is why udevd feeding > > back events to the audit subsystem is inferior to the kernel > > itself generating audit events. > > If this was going to be done in user space, then we are talking about auditd > growing the ability to monitor another netlink socket for events. The question > that decides if this is feasible is whether or not UEVENTS are protected from > loss if several occur in a short time before auditd can get around to reading > them. udevd should queue up your events that you subscribe to just fine. Test it out if you want to, it should be pretty easy. > The other issue that I'm curious about is if adding hardware can fail. Sure it can, plug in a "broken" USB device and watch it not enumerate properly :) > Do the events coming out by UEVENTS have any sense of pass or fail? Or > are they all implicitly successful? They only happen when a device is successfully added to the kernel. > And then we get to the issue of whether or not UEVENTS can be filtered. If so, > then we will also need to add auditing around the configuration of the filters > to see if anything is impacting the audit trail. You can filter in userspace, that's what udevd provides for you today. thanks, greg k-h