<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Does the audit subsystem have the
ability to dynamically create new auditing rules using another
event as the trigger?<br>
<br>
Any examples on how to implement that?<br>
<br>
Kevin <br>
<br>
On 04/22/2014 03:39 PM, Satish Chandra Kilaru wrote:<br>
</div>
<blockquote
cite="mid:CAAnai+VKhuRJrP6gddJqn+HW8FgXiuqcO4VQeKip1JN=79Ew=Q@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Even if there is a file system it may not be mounted on a known a
folder.
<div>But monitoring access of sensitive content and
execution of burning programs can provide clues.</div>
<div>You can use audit dispatcher to react to audit events....
When u get a MOUNT event you can see where sr0 is mounted and
start a new watch for that path. If you are not writing an ISO I
think it has to be mounted.<span></span><br>
<br>
On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <<a
moz-do-not-send="true" href="mailto:kevin.boyce@ngc.com">kevin.boyce@ngc.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hmm. That is an interesting thought, but I would think
there is no filesystem that would be able to be mounted
until the user has written something to the disc first.
In other words I don't believe blank media gets mounted as
part of the burning process (at least not in my experience
anyways--maybe I'd need to turn some feature on for
that?). <br>
<br>
Kevin<br>
<br>
On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">One way is to watch for the main folder
where /dev/sr0 is mounted. That way everything under
that is watched.
<div>If an ISO is burned then we cannot know what is
inside that ISO.</div>
<div><br>
</div>
<div>An alternative is to watch access to known
sensitive files on the machine (whose cd burner you
want to watch). and known burning commands. That way
you know who is accessing sensitive content. If the
same login session generates events for these files
and programs they might be burning sensitive files.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 22, 2014 at 3:14
PM, Boyce, Kevin P. (AS) <span dir="ltr"><<a
moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','kevin.boyce@ngc.com');"
target="_blank">kevin.boyce@ngc.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Does
anyone know if it is possible to audit what
filenames users are burning to optical media?<br>
<br>
I suppose I can put a watch on the /dev/sr0 device
for write events, but this does not give me any idea
what was written to the disc. I suppose I could
also set an execve watch all burner programs, eg.
/usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
/usr/bin/cdrdao /usr/bin/dvdrecord, to know if
someone opened the burning interface; but how could
I tell what it was they were writing?<br>
<br>
Any suggestions are welcome.<br>
<br>
Kevin<br>
<br>
--<br>
Linux-audit mailing list<br>
<a moz-do-not-send="true"
href="javascript:_e(%7B%7D,'cvml','Linux-audit@redhat.com');"
target="_blank">Linux-audit@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/linux-audit"
target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Please Donate to <a moz-do-not-send="true"
href="http://www.wikipedia.org" target="_blank">www.wikipedia.org</a>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br>
-- <br>
Please Donate to <a moz-do-not-send="true"
href="http://www.wikipedia.org">www.wikipedia.org</a><br>
</blockquote>
<br>
</body>
</html>