Re: [RFC] Create an audit record of USB specific details

From: BjÃrn Mork
Date: Mon Apr 04 2016 - 03:48:31 EST

Next message: Roger Quadros: "Re: [PATCH 1/2] usb: dwc3: core: Introduce dwc3_device_reinit()"
Previous message: Krzysztof Kozlowski: "[PATCH] ARM: exynos_defconfig: Enable Trats2 audio codec, touchscreen and sensors"
In reply to: Oliver Neukum: "Re: [RFC] Create an audit record of USB specific details"
Next in thread: Wade Mealing: "Re: [RFC] Create an audit record of USB specific details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Oliver Neukum <oneukum@xxxxxxxx> writes:
> On Mon, 2016-04-04 at 00:02 -0400, wmealing wrote:
>
>> I'm looking to create an audit trail for when devices are added or removed
>> from the system.
>>
>> The audit subsystem is a logging subsystem in kernel space that can be
>> used to create advanced filters on generated events. It has partnered userspace
>> utilities ausearch, auditd, aureport, auditctl which work exclusively on audit
>> records.
>>
>> These tools are able to set filters to "trigger" on specific in-kernel events
>> specified by privileged users. While the userspace tools can create audit
>> events these are not able to be handled intelligently (decoded,filtered or
>> ignored) as kernel generated audit events are.
>
> That is a goal that should be debated in general.

Yes.

And I think it would make this proposal appear a lot less fishy if it
included links and summaries of previous discussions on the subject. Is
there an assumption that people on this list remember every discussion
for weeks? Or the opposite maybe?

AFAICS, Greg has already asked the obvious questions and made the
obvious "do this in userspace using the existing uevents" proposal. I
did not see any followup to his last message, so I assumed this audit
thing would return to the drawing board with a userspace implementation:
http://www.spinics.net/lists/linux-usb/msg137671.html

It was quite suprising to instead see a USB specific kernel
implemenation duplicating exisiting device add/remove functionality.
Why? The provided reason makes absolutely no sense at all. Userspace
tools are as intelligent as you make them. And "decoded,filtered or
ignored" implies policy, which IMHO has no place in the kernel in any
case.

>> I have this working at the moment with the USB subsystem (as an example).
>> Its been suggested that I use systemd-udev however this means that the audit
>> tools (ausearch) will not be able to index these records.
>
> Chaining this so tightly to the USB subsystem makes no sense.
> If you do this, then please hook into the generic layer, that
> is add_device(), and provide a method in the generic device structure
> for providing information to the audit subsystem.

I think the generic layer implementation is already there. The proposed
USB specific solution adds nothing, as pointed out by Greg the last time
this was discussed.

BjÃrn

Next message: Roger Quadros: "Re: [PATCH 1/2] usb: dwc3: core: Introduce dwc3_device_reinit()"
Previous message: Krzysztof Kozlowski: "[PATCH] ARM: exynos_defconfig: Enable Trats2 audio codec, touchscreen and sensors"
In reply to: Oliver Neukum: "Re: [RFC] Create an audit record of USB specific details"
Next in thread: Wade Mealing: "Re: [RFC] Create an audit record of USB specific details"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]