lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 04 Apr 2016 17:33:10 -0400
From:	Steve Grubb <sgrubb@...hat.com>
To:	linux-audit@...hat.com
Cc:	Greg KH <gregkh@...uxfoundation.org>,
	wmealing <wmealing@...hat.com>, linux-kernel@...r.kernel.org,
	linux-usb@...r.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details

On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing <wmealing@...hat.com>
> > 
> > Gday,
> > 
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> 
> Then please do it in userspace, as I suggested before, that way you
> catch all types of devices, not just USB ones.
> 
> Also I don't think you realize that USB interfaces are what are bound to
> drivers, not USB devices, so that is going to mess with any attempted
> audit trails here.  How are you going to distinguish between the 5
> different devices that just got plugged in that all have 0000/0000 as
> vid/pid for them because they are "cheap" devices from China, yet do
> totally different things because they are different _types_ of devices?

This sounds like vid/pid should be captured in the event.

 
> Again, do this in userspace please, that is where it belongs.

There is one issue that may need some clarification. The audit system has to do 
everything possible to make sure that an event is captured and logged. Does 
the uevent netlink protocol ever drop events because the user space queue is 
full? If the uevent interface drops events, then its not audit quality in 
terms of doing everything possible to prevent the loss of a record. If this 
were to happen, how would user space find out when a uevent gets dropped? I may 
have to panic the machine if that happens depending on the configured policy. 
So, we need to know when it happens. If on the otherhand it doesn't ever drop 
events, then it might be usable.

-Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ