lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 04 Apr 2016 17:37:58 -0400
From:	Paul Moore <paul@...l-moore.com>
To:	linux-audit@...hat.com, Greg KH <gregkh@...uxfoundation.org>,
	wmealing <wmealing@...hat.com>
Cc:	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details

On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing <wmealing@...hat.com>
> > 
> > Gday,
> > 
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> 
> Then please do it in userspace, as I suggested before, that way you
> catch all types of devices, not just USB ones.

Audit has some odd requirements placed on it by some of its users.  I think 
most notable in this particular case is the need to take specific actions, 
including panicking the system, when audit records can't be sent to userspace 
and are "lost".  Granted, it's an odd requirement, definitely not the 
norm/default configuration, but supporting weird stuff like this has allowed 
Linux to be used on some pretty interesting systems that wouldn't have been 
possible otherwise.  Looking quickly at some of the kobject/uvent code, it 
doesn't appear that the uevent/netlink channel has this capability.

It also just noticed that it looks like userspace can send fake uevent 
messages; I haven't looked at it closely enough yet, but that may be a concern 
for users which restrict/subdivide root using a LSM ... although it is 
possible that the LSM policy could help here.  I'm thinking aloud a bit right 
now, but for SELinux the netlink controls aren't very granular and sysfs can 
be tricky so I can't say for certain about blocking fake events from userspace 
using LSMs/SELinux.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ