Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964868AbcDEWjt (ORCPT ); Tue, 5 Apr 2016 18:39:49 -0400 Received: from mail16.tpgi.com.au ([203.12.160.231]:35222 "EHLO mail16.tpgi.com.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752305AbcDEWjs (ORCPT ); Tue, 5 Apr 2016 18:39:48 -0400 X-TPG-Junk-Checked: Yes X-TPG-Junk-Status: Message not scanned because user authenticated using SMTP AUTH X-TPG-Antivirus: Passed X-TPG-Abuse: host=203-219-87-38.static.tpgi.com.au; ip=203.219.87.38; date=Wed, 6 Apr 2016 08:39:32 +1000; auth=+Gom/7b4sMFKcUwKs+I0XQiHH+Ha7e1jrZ2q4wzglOs= Subject: RE: EXT :Re: [RFC] Create an audit record of USB specific details From: Burn Alting Reply-To: burn@swtf.dyndns.org To: "Boyce, Kevin P (AS)" Cc: Greg KH , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-audit@redhat.com" In-Reply-To: References: <1459742562-22803-1-git-send-email-wmail@redhat.com> <20160404125626.GB6197@kroah.com> <8028201.ZHuhRfiKWv@x2> <20160404214843.GA26580@kroah.com> <20160404215302.GC26580@kroah.com> <1459861668.7998.92.camel@swtf.swtf.dyndns.org> <20160405134427.GB31313@kroah.com> <1459865304.7998.102.camel@swtf.swtf.dyndns.org> <9dd2354558314ead819366b954e97133@XCGVAG30.northgrum.com> <1459867036.7998.112.camel@swtf.swtf.dyndns.org> Content-Type: text/plain; charset="UTF-8" Organization: Software Task Force Date: Wed, 06 Apr 2016 08:39:29 +1000 Message-ID: <1459895969.7998.139.camel@swtf.swtf.dyndns.org> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 (2.32.3-34.el6) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1947 Lines: 31 On Tue, 2016-04-05 at 14:42 +0000, Boyce, Kevin P (AS) wrote: > Burn, > > > Hence my final comment below about well known devices and the desire monitor open/openat/etc for write system calls on 'deemed removable media' ie one day we could set up > auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable -k RMopen > > And even when you try to figure this out for a CD it is next to impossible to know what is written. If I remember correctly when running strace on wodim you don't ever see the write() calls on the filenames. And instead, what if someone creates an iso image and burns that to a DVD. You really have no way of knowing what is on that disc. When the burn process is complete, the disc usually gets ejected, so the audit subsystem would never even get a chance to evaluate the filesystem that was written to optical media. Two issues here. 1. If you need to know what has been transferred to removable media, then use appropriate DLP (data loss prevention) capability that, not only provides management on who/what can be involved in transfers, but can also keep shadow copies of data transferred. 2. If no DLP tools are available, then we need to make use of audit but we do not rely on a single event in isolation. Reviewing events both before and after a removable media event, along with events from other services (web servers, applications) allows one to build a 'balance of probabilities' picture of what has occurred. (The balance of probabilities is improved with more information of value and it's integrity). Apologies for going off topic on theses lists, but I am hoping this background to our requirements will aid in any further discussion regarding solutions people such as Wade are investigating. If there is a desire to continue, it's probably best we move such discussions to audit specific lists or dedicated forums and return when required with kernel/usb specific issues. Regards Burn