Le 07/11/2013 20:15, Erik Fair a écrit :
There's an ancient daemon in pkgsrc: arpwatch - it keeps a database of seen MAC addresses on network interfaces, and reports (logs) new ones. Thus can a network administrator know when new devices are attached to his networks.
Assuming there is no device that "hides" the new plugged device from arpwatch. If you want acceptable device logging into a network, consider using 802.1x rather than arpwatch. Hosts are not good at monitoring link layer activities. Switches are better candidates for that.
To the extent that various hot-plug devices have unique IDs (more than just device classifications, e.g. "mass storage", "HID", "audio"), there could be an authorized (or "seen this before and trust it") list, perhaps managed by a daemon. If a new device shows up and is not in the list, no I/O is permitted (well, maybe basic probe/ID) until authorized explicitly. Can also be "use once" or "trust forever" or ...
What you want is udev/devfs. Well, an improved version of it, I find udev to be really cumbersome to use for hotplug device policy (and not that well documented either, unless you appreciate Googling for answers).
But you assume that the IDs given by the device can be trusted -- USB gadgets can fake these easily. Same goes for serials...
Let's face it, "we" (by "we" I don't mean NetBSD but Unix in general) do not even have a standard for digital sigs in ELF. So I don't expect signatures for hardware devices to become widespread any time soon.
As for sandboxing untrusted devices from the system... rump + IOMMU combo? -- Jean-Yves Migeon The NetBSD Foundation http://www.NetBSD.org