Re: EXT :Re: [RFC] Create an audit record of USB specific details
On Tue, Apr 05, 2016 at 11:49:14AM +0000, Boyce, Kevin P (AS) wrote:
Wade,
Wouldn't this imply that every time the system is booted and the PCI
bus for example is enumerated and all of the devices are created that
all of those activities generate audit events?
That sounds less than desiriable. Does this imply that the audit
subsystem should maintain a "baseline" of hardware that is always
present on the system?
If you do, what happens when your PCI devices renumber themselves the
next time you boot (hint, PCI numbering is not static.)
Couldn't you audit a directory under /proc/usb?
There is no "/proc/usb/" :)
Correct me if I am wrong, but doesn't audititing of the syscall
mknod
create an event when devices are "added" to the system?
The kernel calls mknod itself on devtmpfs, userspace doesn't do that
anymore (hasn't for a long time). Do you get those audit events today?
thanks,
greg k-h