Bug 1210949

Summary: RFE: audit device attach/detach events
Product: [Fedora] Fedora Reporter: Paul Moore <pmoore>
Component: kernelAssignee: Richard Guy Briggs <rbriggs>
Status: ASSIGNED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: rawhideCC: burn, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, sgrubb, wmealing
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/linux-audit/audit-kernel/issues/1
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 967241    

Description Paul Moore 2015-04-11 11:52:57 UTC 
This BZ to track development of efforts to audit low level device attach/detach events; I anticipate the effort to be sub-divided into the following tasks:

#1 Hook the device layer to trigger audit record generation for device attach and detach events

#2 Develop a kernel audit API for device drivers to log driver/device specific metadata

#3 Instrument the USB drivers to leverage the metadata logging API, other drivers can be instrumented as time permits

#4 Update the audit userspace as needed to support the new audit record types
Comment 2 Paul Moore 2016-03-02 16:25:54 UTC 
This is being tracked upstream via the following GitHub issue and feature page:

 * https://github.com/linux-audit/audit-kernel/issues/1
 * https://github.com/linux-audit/audit-kernel/wiki/RFE-Device-Auditing