On Tue, 2016-04-05 at 14:42 +, Boyce, Kevin P (AS) wrote:
> Burn,
>
> > Hence my final comment below about well known devices and the desire
> > monitor open/openat/etc for write system calls on 'deemed removable media'
> > ie one day we could set up
> auditctl -F arch=b64 -a always,exit -
O
>
> If you want a place in the kernel to add audit records for all devices
> added to or removed from the system, the right place to do it is in
> drivers/base/core.c, the device_add() and device_del() routines.
> That's where the ADD and REMOVE uevents are created.
>
> Alan Stern
I agree with y
On Tue, Apr 05, 2016 at 03:38:34PM -0400, Steve Grubb wrote:
> On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> > On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > > Consider the following scenario. Currently we have device drivers
> > > that emit text via a printk request wh
On Tuesday, April 05, 2016 07:02:48 PM Oliver Neukum wrote:
> On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> > Consider the following scenario. Currently we have device drivers
> > that emit text via a printk request which is eventually picked up by
> > syslog like implementation (not th
On Tue, 2016-04-05 at 18:40 +1000, Wade Mealing wrote:
> Consider the following scenario. Currently we have device drivers
> that emit text via a printk request which is eventually picked up by
> syslog like implementation (not the audit subsystem).
We also have UEVENTs. The crucial question is w
On Tue, Apr 05, 2016 at 01:52:40PM +, Boyce, Kevin P (AS) wrote:
> Greg,
>
> > There is no "/proc/usb/" :)
>
> Sorry, maybe /sys/bus/usb/devices was what I was looking for...
>
> > The kernel calls mknod itself on devtmpfs, userspace doesn't do that
> > anymore (hasn't for a long time). Do
On Mon, Apr 4, 2016 at 11:39 PM, Greg KH wrote:
> On Mon, Apr 04, 2016 at 10:54:56PM -0400, Paul Moore wrote:
>> On April 4, 2016 6:17:23 PM Greg KH wrote:
>> > On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote:
>> > > On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
>> > > > On Mon,
On Tue, 5 Apr 2016, Wade Mealing wrote:
> I'm reframing my use case as follows to try and better explain the
> situation I am trying to track.
>
> It might seem that I am duplicating existing functionality, rather I
> am trying to augment functionality that seems to be
> unavailable.Replication o
Burn,
> Hence my final comment below about well known devices and the desire monitor
> open/openat/etc for write system calls on 'deemed removable media' ie one day
> we could set up
auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable -k RMopen
And even when you try to figure
:linux-audit-boun...@redhat.com]
> On Behalf Of Burn Alting
> Sent: Tuesday, April 05, 2016 10:08 AM
> To: Greg KH
> Cc: linux-kernel@vger.kernel.org; linux-...@vger.kernel.org;
> linux-au...@redhat.com
> Subject: EXT :Re: [RFC] Create an audit record of USB specific details
>
On Tue, 2016-04-05 at 09:44 -0400, Greg KH wrote:
> On Tue, Apr 05, 2016 at 11:07:48PM +1000, Burn Alting wrote:
> > On Mon, 2016-04-04 at 14:53 -0700, Greg KH wrote:
> > > On Mon, Apr 04, 2016 at 02:48:43PM -0700, Greg KH wrote:
> > > > On Mon, Apr 04, 2016 at 05:33:10PM -0400, Steve Grubb wrote:
linux-kernel@vger.kernel.org; linux-...@vger.kernel.org;
linux-au...@redhat.com
Subject: EXT :Re: [RFC] Create an audit record of USB specific details
On Tue, 2016-04-05 at 09:44 -0400, Greg KH wrote:
> On Tue, Apr 05, 2016 at 11:07:48PM +1000, Burn Alting wrote:
> > On Mon, 2016-04-04
Greg,
> There is no "/proc/usb/" :)
Sorry, maybe /sys/bus/usb/devices was what I was looking for...
> The kernel calls mknod itself on devtmpfs, userspace doesn't do that anymore
> (hasn't for a long time). Do you get those audit events today?
I'm not auditing those events myself. Just propo
On Tue, Apr 05, 2016 at 11:49:14AM +, Boyce, Kevin P (AS) wrote:
> Wade,
>
> Wouldn't this imply that every time the system is booted and the PCI
> bus for example is enumerated and all of the devices are created that
> all of those activities generate audit events?
> That sounds less than des
On Tue, Apr 05, 2016 at 11:07:48PM +1000, Burn Alting wrote:
> On Mon, 2016-04-04 at 14:53 -0700, Greg KH wrote:
> > On Mon, Apr 04, 2016 at 02:48:43PM -0700, Greg KH wrote:
> > > On Mon, Apr 04, 2016 at 05:33:10PM -0400, Steve Grubb wrote:
> > > > On Monday, April 04, 2016 05:56:26 AM Greg KH wrot
On Mon, 2016-04-04 at 14:53 -0700, Greg KH wrote:
> On Mon, Apr 04, 2016 at 02:48:43PM -0700, Greg KH wrote:
> > On Mon, Apr 04, 2016 at 05:33:10PM -0400, Steve Grubb wrote:
> > > On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > > > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
Message-
From: linux-audit-boun...@redhat.com [mailto:linux-audit-boun...@redhat.com] On
Behalf Of Wade Mealing
Sent: Tuesday, April 05, 2016 4:40 AM
To: Bjørn Mork
Cc: Oliver Neukum; linux-kernel@vger.kernel.org; linux-usb;
linux-au...@redhat.com
Subject: EXT :Re: [RFC] Create an audit record of USB spe
I'm reframing my use case as follows to try and better explain the
situation I am trying to track.
It might seem that I am duplicating existing functionality, rather I
am trying to augment functionality that seems to be
unavailable.Replication of existing functionality is not my intention.
Consid
On Mon, Apr 04, 2016 at 10:54:56PM -0400, Paul Moore wrote:
> On April 4, 2016 6:17:23 PM Greg KH wrote:
> > On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote:
> > > On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > > > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> >
On April 4, 2016 6:17:23 PM Greg KH wrote:
On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote:
On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing
> >
> > Gday,
> >
> > I'm looking to create an audit tr
On Tue, Apr 05, 2016 at 11:54:07AM +1000, Wade Mealing wrote:
> That is a good question, maybe I've been lucky in the devices that I have
> been testing with. Most of them seem to be ascii, my assumption was that
> shouldn't be a problem. The same encoding function used by the path
> audit_log_
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
A: No.
Q: Should I include quotations after my reply?
http://daringfireball.net/2007/07/on_top
On Tue, Apr 05, 2016 at 11:5
That is a good question, maybe I've been lucky in the devices that I have
been testing with. Most of them seem to be ascii, my assumption was that
shouldn't be a problem. The same encoding function used by the path
audit_log_d_path, definitely audits UTF8 named files:
# ausearch -i -f /tmp/tes
On Mon, Apr 04, 2016 at 05:33:10PM -0400, Steve Grubb wrote:
> On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > > From: Wade Mealing
> > >
> > > Gday,
> > >
> > > I'm looking to create an audit trail for when devices are added
On Mon, Apr 04, 2016 at 02:48:43PM -0700, Greg KH wrote:
> On Mon, Apr 04, 2016 at 05:33:10PM -0400, Steve Grubb wrote:
> > On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > > > From: Wade Mealing
> > > >
> > > > Gday,
> > > >
On Mon, Apr 04, 2016 at 05:37:58PM -0400, Paul Moore wrote:
> On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> > On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > > From: Wade Mealing
> > >
> > > Gday,
> > >
> > > I'm looking to create an audit trail for when devices are added
On Mon, Apr 04, 2016 at 05:37:01PM -0400, Steve Grubb wrote:
> On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> >
> > The audit subsystem is a logging subsystem in kernel space that can be
>
On Mon, 2016-04-04 at 17:37 -0400, Steve Grubb wrote:
> On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> >
> > The audit subsystem is a logging subsystem in kernel space that can be
> > used
On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing
> >
> > Gday,
> >
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
>
> Then please do it in userspace, as I
On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
>
> The audit subsystem is a logging subsystem in kernel space that can be
> used to create advanced filters on generated events. It has partnered
On Monday, April 04, 2016 05:56:26 AM Greg KH wrote:
> On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> > From: Wade Mealing
> >
> > Gday,
> >
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
>
> Then please do it in userspace, as I
On Mon, Apr 04, 2016 at 12:02:42AM -0400, wmealing wrote:
> From: Wade Mealing
>
> Gday,
>
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
Then please do it in userspace, as I suggested before, that way you
catch all types of devices, not just USB
Oliver Neukum writes:
> On Mon, 2016-04-04 at 00:02 -0400, wmealing wrote:
>
>> I'm looking to create an audit trail for when devices are added or removed
>> from the system.
>>
>> The audit subsystem is a logging subsystem in kernel space that can be
>> used to create advanced filters on generat
On Mon, 2016-04-04 at 00:02 -0400, wmealing wrote:
> From: Wade Mealing
>
> Gday,
>
> I'm looking to create an audit trail for when devices are added or removed
> from the system.
>
> The audit subsystem is a logging subsystem in kernel space that can be
> used to create advanced filters on gen
From: Wade Mealing
Gday,
I'm looking to create an audit trail for when devices are added or removed
from the system.
The audit subsystem is a logging subsystem in kernel space that can be
used to create advanced filters on generated events. It has partnered userspace
utilities ausearch, auditd
35 matches
Mail list logo
