lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2074584.b2h7oKljRp@x2>
Date:	Tue, 05 Apr 2016 15:38:34 -0400
From:	Steve Grubb <sgrubb@...hat.com>
To:	linux-audit@...hat.com
Cc:	Oliver Neukum <oneukum@...e.com>,
	Wade Mealing <wmealing@...hat.com>,
	linux-usb <linux-usb@...r.kernel.org>,
	linux-kernel@...r.kernel.org, bjorn@...k.no
Subject: Re: [RFC] Create an audit record of USB specific details

On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > Consider the following scenario.  Currently we have device drivers
> > that emit text via a printk request which is eventually picked up by
> > syslog like implementation (not the audit subsystem).
> 
> We also have UEVENTs. The crucial question is why udevd feeding
> back events to the audit subsystem is inferior to the kernel
> itself generating audit events.

If this was going to be done in user space, then we are talking about auditd 
growing the ability to monitor another netlink socket for events. The question 
that decides if this is feasible is whether or not UEVENTS are protected from 
loss if several occur in a short time before auditd can get around to reading 
them.

The other issue that I'm curious about is if adding hardware can fail. Do the 
events coming out by UEVENTS have any sense of pass or fail? Or are they all 
implicitly successful?

And then we get to the issue of whether or not UEVENTS can be filtered. If so, 
then we will also need to add auditing around the configuration of the filters 
to see if anything is impacting the audit trail.

-Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ