| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160405134632.GC31313@kroah.com> Date: Tue, 5 Apr 2016 09:46:32 -0400 From: Greg KH <gregkh@...uxfoundation.org> To: "Boyce, Kevin P (AS)" <Kevin.Boyce@....com> Cc: Wade Mealing <wmealing@...hat.com>, Bjørn Mork <bjorn@...k.no>, Oliver Neukum <oneukum@...e.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, linux-usb <linux-usb@...r.kernel.org>, "linux-audit@...hat.com" <linux-audit@...hat.com> Subject: Re: EXT :Re: [RFC] Create an audit record of USB specific details On Tue, Apr 05, 2016 at 11:49:14AM +0000, Boyce, Kevin P (AS) wrote: > Wade, > > Wouldn't this imply that every time the system is booted and the PCI > bus for example is enumerated and all of the devices are created that > all of those activities generate audit events? > That sounds less than desiriable. Does this imply that the audit > subsystem should maintain a "baseline" of hardware that is always > present on the system? If you do, what happens when your PCI devices renumber themselves the next time you boot (hint, PCI numbering is not static.) > Couldn't you audit a directory under /proc/usb? There is no "/proc/usb/" :) > Correct me if I am wrong, but doesn't audititing of the syscall mknod > create an event when devices are "added" to the system? The kernel calls mknod itself on devtmpfs, userspace doesn't do that anymore (hasn't for a long time). Do you get those audit events today? thanks, greg k-h
Powered by blists - more mailing lists