Even if there is a file system it may not be mounted on a known a folder. <div>But monitoring access of sensitive content and execution of burning programs can provide clues.</div><div>You can use audit dispatcher to react to audit events.... When u get a MOUNT event you can see where sr0 is mounted and start a new watch for that path. If you are not writing an ISO I think it has to be mounted.<span></span><br>
<br>On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <<a href="mailto:kevin.boyce@ngc.com">kevin.boyce@ngc.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hmm. That is an interesting thought,
but I would think there is no filesystem that would be able to be
mounted until the user has written something to the disc first.
In other words I don't believe blank media gets mounted as part of
the burning process (at least not in my experience anyways--maybe
I'd need to turn some feature on for that?). <br>
<br>
Kevin<br>
<br>
On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">One way is to watch for the main folder where
/dev/sr0 is mounted. That way everything under that is watched.
<div>If an ISO is burned then we cannot know what is inside that
ISO.</div>
<div><br>
</div>
<div>An alternative is to watch access to known sensitive files
on the machine (whose cd burner you want to watch). and known
burning commands. That way you know who is accessing sensitive
content. If the same login session generates events for these
files and programs they might be burning sensitive files.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Apr 22, 2014 at 3:14 PM, Boyce,
Kevin P. (AS) <span dir="ltr"><<a href="javascript:_e(%7B%7D,'cvml','kevin.boyce@ngc.com');" target="_blank">kevin.boyce@ngc.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Does
anyone know if it is possible to audit what filenames users
are burning to optical media?<br>
<br>
I suppose I can put a watch on the /dev/sr0 device for write
events, but this does not give me any idea what was written
to the disc. I suppose I could also set an execve watch all
burner programs, eg. /usr/bin/k3b /usr/bin/brasero
/usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord, to
know if someone opened the burning interface; but how could
I tell what it was they were writing?<br>
<br>
Any suggestions are welcome.<br>
<br>
Kevin<br>
<br>
--<br>
Linux-audit mailing list<br>
<a href="javascript:_e(%7B%7D,'cvml','Linux-audit@redhat.com');" target="_blank">Linux-audit@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Please Donate to <a href="http://www.wikipedia.org" target="_blank">www.wikipedia.org</a>
</div>
</blockquote>
<br>
</div>
</blockquote></div><br><br>-- <br>Please Donate to <a href="http://www.wikipedia.org">www.wikipedia.org</a><br>