Skip to content

RFE Device Auditing

Jump to bottom Edit New page
Wade Mealing edited this page May 11, 2016 · 25 revisions

Feature Description

The problem is that devices can be added or removed from a system and the audit subsystem may have no context or ability to know which device and its details for further auditing tasks.

Feature Design

The kernel recognises devices being added and removed via the device_add ( drivers/base/core.c ) function which delegates work to the relevant driver through a notifier callback chain.

The initial release / design hooked into the bus notifier chain in the relevant functions:

device_add()
   if (dev->bus)
            blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
                                         BUS_NOTIFY_ADD_DEVICE, dev);
device_del()
    if (dev->bus)
            blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
                                         BUS_NOTIFY_DEL_DEVICE, dev);

At the moment, some bus already have their own notification chain. USB is prime example that already has an add example using usb_register_notify(), not all subsystems have such a nice hook function to inject notifier hooks, because of this we must iterate through all bus notifiers and hook into each of the available bus notifiers.

Development Tasks

  1. Build out of tree kernel module for testing.

    • This was not possible due to some symbols not being exported for out of tree ( audit_log_untrustedstring )
    • This needs to be done -in- tree either as its own file or part of each subsystem.

  2. Build this as part of the existing systems that use their own registrations systems.

Functional Testing and Verification

USB Devices being plugged in generate an audit device with strings escaped.

Example Audit Records

Decoded:
$ ausearch -ts today |grep AUDIT_DEVICE
type=AUDIT_DEVICE msg=audit(1458748898.855:1414): action=add manufacturer="SanDisk" product=53616E4469736B204372757A6572 serial="4861121412120504" major=189 minor=2 bus=usb
Encoded:
$ ausearch -ts today -i |grep AUDIT_DEVICE
type=AUDIT_DEVICE msg=audit(24/03/16 03:01:38.855:1414) : action=add manufacturer=SanDisk product=SanDisk Cruzer serial=4861121412120504 major=189 minor=2 bus=usb
Fields:
  • action: [add|remove] The action that the kernel is taking to the device.
  • manufacturer : A String provided by the device, may be omitted if blank or not provided or unknown.
  • product: A String value of the provided USB device, may be omitted if blank or not provided or unknown.
  • serial: A String value may include any valid ascii character, may be omitted if blank or not provided or unknown.
  • major: A numeric value of the the major number of the device being added.
  • minor: A numeric value of the minor number of the device being added.
Current status:
  • Patch has been submitted to upstream linux-usb and audit mailing lists:
  • Patch comments: ** Make it more generic ** Fine if its 'Just for being eyeballed' for admins. ** Output setup a sysctl/kernel parameter for those who want runtime disabling.
Next steps:
  • Hook into the generic bus/add notifier iterating through the kobj bus list.
  • Create a table for other device types that can hook into the same exported fields.
  • Create a sysctl to enable this at runtime/boot time.

Bugzilla and Issue Trackers

GH/audit-kernel #1

RHBZ #1210949

Add a custom footer
Add a custom sidebar
Clone this wiki locally