EXT :Re: CD Burner Auditing
Boyce, Kevin P. (AS)
kevin.boyce at ngc.com
Tue Apr 22 19:35:15 UTC 2014
Hmm. That is an interesting thought, but I would think there is no
filesystem that would be able to be mounted until the user has written
something to the disc first. In other words I don't believe blank media
gets mounted as part of the burning process (at least not in my
experience anyways--maybe I'd need to turn some feature on for that?).
Kevin
On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
> One way is to watch for the main folder where /dev/sr0 is mounted.
> That way everything under that is watched.
> If an ISO is burned then we cannot know what is inside that ISO.
>
> An alternative is to watch access to known sensitive files on the
> machine (whose cd burner you want to watch). and known burning
> commands. That way you know who is accessing sensitive content. If the
> same login session generates events for these files and programs they
> might be burning sensitive files.
>
>
> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS)
> <kevin.boyce at ngc.com <mailto:kevin.boyce at ngc.com>> wrote:
>
> Does anyone know if it is possible to audit what filenames users
> are burning to optical media?
>
> I suppose I can put a watch on the /dev/sr0 device for write
> events, but this does not give me any idea what was written to the
> disc. I suppose I could also set an execve watch all burner
> programs, eg. /usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
> /usr/bin/cdrdao /usr/bin/dvdrecord, to know if someone opened the
> burning interface; but how could I tell what it was they were writing?
>
> Any suggestions are welcome.
>
> Kevin
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com <mailto:Linux-audit at redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> --
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140422/ab1f447a/attachment.htm>
More information about the Linux-audit
mailing list