On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
I'm looking to create an audit trail for when devices are added
or removed
from the system.
The audit subsystem is a logging subsystem in kernel space that can be
used to create advanced filters on generated events. It has partnered
userspace utilities ausearch, auditd, aureport, auditctl which work
exclusively on audit records.
These tools are able to set filters to "trigger" on specific in-kernel
events specified by privileged users. While the userspace tools can create
audit events these are not able to be handled intelligently
(decoded,filtered or ignored) as kernel generated audit events are.
I have this working at the moment with the USB subsystem (as an example).
Its been suggested that I use systemd-udev however this means that the audit
tools (ausearch) will not be able to index these records.
Here is an example of picking out the AUDIT_DEVICE record type for example.
> # ausearch -l -i -ts today -m AUDIT_DEVICE
> ----
> type=AUDIT_DEVICE msg=audit(31/03/16 16:37:15.642:2) : action=add
> manufacturer=Linux 4.4.0-ktest ehci_hcd product=EHCI Host Controller
> serial=0000:00:06.7 major=189 minor=0 bus="usb"
About this event's format...we can't have any spaces in the value side of the
name=value fields unless its encoded as an untrusted string. You can replace
spaces with an underscore or dash for readability. So, manufacturer and
product would need this treatment.
-Steve
Admittedly this is only the USB device type at the moment, but
I'd like to
break this out into other bus types at some time in the future, gotta start
somewhere.