RFE: audit device attach/detach events

[pcmoore]

Hook the audit system into the Linux Kernel's device layer to capture and record device attach and detach events, also hook significant upper layers to capture notable metadata about the device, e.g. serial #, device and vendor IDs, etc.

• GH Feature Page

[The-Mule]

Thanks for "Functional Testing and Verification" section in Feature Page Paul. USB disks are good examples of removable devices to trigger new events. Are there any other examples? Does it even make sense to try something else than USB disks (from what I see, events are generated from a layer which is transparent to any removable device - iow testing usb disks should be sufficient IMHO)?

[pcmoore]

Thanks for "Functional Testing and Verification" section in Feature Page Paul. USB disks are good examples of removable devices to trigger new events. Are there any other examples?

USB devices in general are probably the easiest to test due the hotplug nature of the bus. Besides USB storage devices, I think USB HID devices (e.g. keyboard, mouse, etc.) would be easy to test and a common case. UVC devices (e.g. webcams) would be another easy thing to test.

Does it even make sense to try something else than USB disks (from what I see, events are generated from a layer which is transparent to any removable device - iow testing usb disks should be sufficient IMHO)?

USB is likely to be the most important, but you are correct, this should catch any device, regardless of the underlying bus.

[pcmoore]

@wmealing it has been a while since we spoke about this, but if I remember correctly you were planning on continuing work on this, any progress you can report?

[rgbriggs]

Fedora rawhide issue tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1210949

Upstream threads:

• https://www.redhat.com/archives/linux-audit/2012-September/msg00048.html 2012-09-21 Diaz, DavidA - Capturing USB insertions and removal events with auditd

• https://www.redhat.com/archives/linux-audit/2013-January/msg00001.html 2013-01-10 Burn Alting - Monitoring data transfer from/to removable media to aid Data Loss Prevention (aka Endpoint DLP)

• https://www.redhat.com/archives/linux-audit/2013-July/msg00049.html 2013-07-31 Josh - Auditing USB Question

• https://www.redhat.com/archives/linux-audit/2014-April/msg00101.html 2014-04-22 Boyce, Kevin P. (AS) - CD Burner Auditing

• https://www.spinics.net/lists/linux-usb/msg137663.html 2016-03-13 Wade Mealing - Extending usb to do device auditing

• https://www.redhat.com/archives/linux-audit/2016-April/msg00003.html 2016-04-04 wmealing - [RFC] Create an audit record of USB specific details

• https://www.redhat.com/archives/linux-audit/2020-January/msg00048.html 2020-01-21 Richard Guy Briggs - auditing removable media

Other resources:

• http://people.redhat.com/sgrubb/audit/reactive/reactive-audit-thesis.pdf

• https://github.com/USBGuard/usbguard

• https://usbguard.github.io/

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-usbguard

• https://www.kernel.org/doc/Documentation/usb/authorization.txt