-
Notifications
You must be signed in to change notification settings - Fork 37
RFE Device Auditing
Add new audit events for general device addition and removal so that administrators can track removable device usage as well as changes to the non-removable devices over time, e.g. asset inventory.
The kernel recognises devices being added and removed via the device_add ( drivers/base/core.c ) function which delegates work to the relevant driver through a notifier callback chain.
The initial release / design hooked into the bus notifier chain in the relevant functions:
device_add()
if (dev->bus)
blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
BUS_NOTIFY_ADD_DEVICE, dev);
device_del()
if (dev->bus)
blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
BUS_NOTIFY_DEL_DEVICE, dev);
At the moment, some buses already have their own notification chain. USB is prime example that already has an add example using usb_register_notify(), not all subsystems have such a nice hook function to inject notifier hooks.
It is likely that we will need to hook both the general device layer, in order to catch all device events, as well as some critical upper layer buses such as USB, in order to capture bus specific metadata. It is unclear at this point if this will result in multiple audit records per event, or if the general and bus specific data can be recorded in a single record.
-
Build out of tree kernel module for testing.
- This was not possible due to some symbols not being exported for out of tree ( audit_log_untrustedstring )
- This needs to be done -in- tree either as its own file or part of each subsystem.
-
Build this as part of the existing systems that use their own registrations systems.
USB Devices being plugged in generate an audit device with strings escaped.
$ ausearch -ts today |grep AUDIT_DEVICE
type=AUDIT_DEVICE msg=audit(1458748898.855:1414): action=add manufacturer="SanDisk" product=53616E4469736B204372757A6572 serial="4861121412120504" major=189 minor=2 bus=usb
$ ausearch -ts today -i |grep AUDIT_DEVICE
type=AUDIT_DEVICE msg=audit(24/03/16 03:01:38.855:1414) : action=add manufacturer=SanDisk product=SanDisk Cruzer serial=4861121412120504 major=189 minor=2 bus=usb
- action: [add|remove] The action that the kernel is taking to the device.
- manufacturer : A String provided by the device, may be omitted if blank or not provided or unknown.
- product: A String value of the provided USB device, may be omitted if blank or not provided or unknown.
- serial: A String value may include any valid ascii character, may be omitted if blank or not provided or unknown.
- major: A numeric value of the the major number of the device being added.
- minor: A numeric value of the minor number of the device being added.
-
Patch has been submitted to upstream linux-usb and audit mailing lists:
-
Patch comments:
** Make it suitable to generic devices.
** Fine if its 'Just for being eyeballed' for admins.
** Output setup a sysctl/kernel parameter for those who want runtime disabling.
- Hook into the generic bus/add notifier iterating through the kobj bus list.
- Create a table for other device types that can hook into the same exported fields.
- Create a sysctl to enable this at runtime/boot time.