Re: EXT :Re: [RFC] Create an audit record of USB specific details
On Tue, Apr 05, 2016 at 01:52:40PM +0000, Boyce, Kevin P (AS) wrote:
Greg,
> There is no "/proc/usb/" :)
Sorry, maybe /sys/bus/usb/devices was what I was looking for...
> The kernel calls mknod itself on devtmpfs, userspace doesn't do that anymore
(hasn't for a long time). Do you get those audit events today?
I'm not auditing those events myself. Just proposing ideas that might
produce the sort of information Wade was looking for.
Ok, but watch out, lots of USB devices don't have a device node, they
get accessed directly by userspace applications, using the kernel as a
"raw" pass-through.
It's not an easy problem, good luck all!
greg k-h