EXT :Re: CD Burner Auditing
Satish Chandra Kilaru
iam.kilaru at gmail.com
Tue Apr 22 19:55:18 UTC 2014
[root at express april12th]# cat /etc/audisp/plugins.d/test.conf
# This file controls the configuration of the
# af_unix socket plugin. It simply takes events
# and writes them to a unix domain socket. This
# plugin can take 2 arguments, the path for the
# socket and the socket permissions in octal.
active = yes
direction = out
path = /root/python/auevent_parser.py <-- my script
#path = /tmp/log_date
type = always
args = /usr/local/cache1/testau.log
format = string
auevent_parser.py will launched by audispd when auditd starts. And all the
events that are sent to audit.log are also sent to this script on stdin.
You can read the events and filter out what u dont need. When u see any
kind access of /my/sensitive/content then insert a rule using 'auditctl
-a'
On Tue, Apr 22, 2014 at 3:44 PM, Boyce, Kevin P. (AS)
<kevin.boyce at ngc.com>wrote:
> Does the audit subsystem have the ability to dynamically create new
> auditing rules using another event as the trigger?
>
> Any examples on how to implement that?
>
> Kevin
>
> On 04/22/2014 03:39 PM, Satish Chandra Kilaru wrote:
>
> Even if there is a file system it may not be mounted on a known a folder.
> But monitoring access of sensitive content and execution of burning
> programs can provide clues.
> You can use audit dispatcher to react to audit events.... When u get a
> MOUNT event you can see where sr0 is mounted and start a new watch for that
> path. If you are not writing an ISO I think it has to be mounted.
>
> On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <kevin.boyce at ngc.com>
> wrote:
>
>> Hmm. That is an interesting thought, but I would think there is no
>> filesystem that would be able to be mounted until the user has written
>> something to the disc first. In other words I don't believe blank media
>> gets mounted as part of the burning process (at least not in my experience
>> anyways--maybe I'd need to turn some feature on for that?).
>>
>> Kevin
>>
>> On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
>>
>> One way is to watch for the main folder where /dev/sr0 is mounted. That
>> way everything under that is watched.
>> If an ISO is burned then we cannot know what is inside that ISO.
>>
>> An alternative is to watch access to known sensitive files on the
>> machine (whose cd burner you want to watch). and known burning commands.
>> That way you know who is accessing sensitive content. If the same login
>> session generates events for these files and programs they might be burning
>> sensitive files.
>>
>>
>> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS) <
>> kevin.boyce at ngc.com> wrote:
>>
>>> Does anyone know if it is possible to audit what filenames users are
>>> burning to optical media?
>>>
>>> I suppose I can put a watch on the /dev/sr0 device for write events, but
>>> this does not give me any idea what was written to the disc. I suppose I
>>> could also set an execve watch all burner programs, eg. /usr/bin/k3b
>>> /usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord, to
>>> know if someone opened the burning interface; but how could I tell what it
>>> was they were writing?
>>>
>>> Any suggestions are welcome.
>>>
>>> Kevin
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit at redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>>>
>>
>>
>>
>> --
>> Please Donate to www.wikipedia.org
>>
>>
>>
>
> --
> Please Donate to www.wikipedia.org
>
>
>
--
Please Donate to www.wikipedia.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140422/22b6a6c0/attachment.htm>
More information about the Linux-audit
mailing list