lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 4 Apr 2016 14:50:41 -0700
From:	Greg KH <gregkh@...uxfoundation.org>
To:	Paul Moore <paul@...l-moore.com>
Cc:	linux-audit@...hat.com, wmealing <wmealing@...hat.com>,
	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: Re: [RFC] Create an audit record of USB specific details

On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote:
> On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > > From: Wade Mealing <wmealing@...hat.com>
> > > 
> > > Gday,
> > > 
> > > I'm looking to create an audit trail for when devices are added or removed
> > > from the system.
> > 
> > Then please do it in userspace, as I suggested before, that way you
> > catch all types of devices, not just USB ones.
> 
> Audit has some odd requirements placed on it by some of its users.  I think 
> most notable in this particular case is the need to take specific actions, 
> including panicking the system, when audit records can't be sent to userspace 
> and are "lost".  Granted, it's an odd requirement, definitely not the 
> norm/default configuration, but supporting weird stuff like this has allowed 
> Linux to be used on some pretty interesting systems that wouldn't have been 
> possible otherwise.  Looking quickly at some of the kobject/uvent code, it 
> doesn't appear that the uevent/netlink channel has this capability.

Are you sure you can loose netlink messages?  If you do, you know you
lost them, so isn't that good enough?

> It also just noticed that it looks like userspace can send fake uevent 
> messages;

That's how your machine boots properly :)

> I haven't looked at it closely enough yet, but that may be a concern 
> for users which restrict/subdivide root using a LSM ... although it is 
> possible that the LSM policy could help here.  I'm thinking aloud a bit right 
> now, but for SELinux the netlink controls aren't very granular and sysfs can 
> be tricky so I can't say for certain about blocking fake events from userspace 
> using LSMs/SELinux.

uevents are not tied into LSMs from what I can tell, so I don't
understand wht you are talking about here, sorry.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ