EXT :Re: CD Burner Auditing

Satish Chandra Kilaru iam.kilaru at gmail.com
Tue Apr 22 19:39:14 UTC 2014 

Even if there is a file system it may not be mounted on a known a folder.
But monitoring access of sensitive content and execution  of burning
programs can provide clues.
You can use audit dispatcher to react to audit events.... When u get a
MOUNT event you can see where sr0 is mounted and start a new watch for that
path. If you are not writing an ISO I think it has to be mounted.

On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <kevin.boyce at ngc.com>
wrote:

>  Hmm.  That is an interesting thought, but I would think there is no
> filesystem that would be able to be mounted until the user has written
> something to the disc first.  In other words I don't believe blank media
> gets mounted as part of the burning process (at least not in my experience
> anyways--maybe I'd need to turn some feature on for that?).
>
> Kevin
>
> On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
>
> One way is to watch for the main folder where /dev/sr0 is mounted. That
> way everything under that is watched.
> If an ISO is burned then we cannot know what is inside that ISO.
>
>  An alternative is to watch access to known sensitive files on the
> machine (whose cd burner you want to watch). and known burning commands.
> That way you know who is accessing sensitive content. If the same login
> session generates events for these files and programs they might be burning
> sensitive files.
>
>
> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS) <kevin.boyce at ngc.com<javascript:_e(%7B%7D,'cvml','kevin.boyce at ngc.com');>
> > wrote:
>
>> Does anyone know if it is possible to audit what filenames users are
>> burning to optical media?
>>
>> I suppose I can put a watch on the /dev/sr0 device for write events, but
>> this does not give me any idea what was written to the disc.  I suppose I
>> could also set an execve watch all burner programs, eg. /usr/bin/k3b
>> /usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord,  to
>> know if someone opened the burning interface; but how could I tell what it
>> was they were writing?
>>
>> Any suggestions are welcome.
>>
>> Kevin
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com<javascript:_e(%7B%7D,'cvml','Linux-audit at redhat.com');>
>> https://www.redhat.com/mailman/listinfo/linux-audit
>>
>
>
>
>  --
> Please Donate to www.wikipedia.org
>
>
>

-- 
Please Donate to www.wikipedia.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140422/568c10bd/attachment.htm>

More information about the Linux-audit mailing list