Monitoring data transfer from/to removable media to aid Data Loss Prevention (aka Endpoint DLP)
Burn Alting
burn at swtf.dyndns.org
Thu Jan 10 12:12:19 UTC 2013
All,
Has anyone done any research within the kernel to identify audit events
(ie syscalls) operating on files residing on removable media?
If say, we kept an in-core list of devices currently associated with
removable media, we could then extend the filetype auditd rule field to
include
a value for 'file on removable media'. With this we could monitor all
file opens/reads/writes etc on removable media and hence together
with udev could provide reasonable support for improving one's security
posture against Endpoint DLP.
Happy to do the research but would appreciate pointers if people have
gone down this path already.
Regards
Burn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130110/9ffc82ee/attachment.htm>
More information about the Linux-audit
mailing list