On Mon, Apr 04, 2016 at 05:37:01PM -0400, Steve Grubb wrote:
On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
>
> The audit subsystem is a logging subsystem in kernel space that can be
> used to create advanced filters on generated events. It has partnered
> userspace utilities ausearch, auditd, aureport, auditctl which work
> exclusively on audit records.
>
> These tools are able to set filters to "trigger" on specific in-kernel
> events specified by privileged users. While the userspace tools can create
> audit events these are not able to be handled intelligently
> (decoded,filtered or ignored) as kernel generated audit events are.
>
> I have this working at the moment with the USB subsystem (as an example).
> Its been suggested that I use systemd-udev however this means that the audit
> tools (ausearch) will not be able to index these records.
>
> Here is an example of picking out the AUDIT_DEVICE record type for example.
>
> > # ausearch -l -i -ts today -m AUDIT_DEVICE
> > ----
> > type=AUDIT_DEVICE msg=audit(31/03/16 16:37:15.642:2) : action=add
> > manufacturer=Linux 4.4.0-ktest ehci_hcd product=EHCI Host Controller
> > serial=0000:00:06.7 major=189 minor=0 bus="usb"
About this event's format...we can't have any spaces in the value side of the
name=value fields unless its encoded as an untrusted string. You can replace
spaces with an underscore or dash for readability. So, manufacturer and
product would need this treatment.
What is the character encoding that audit messages can accept? Does it
match up with the character encoding that USB strings are in?
thanks,
greg k-h