EXT :Re: CD Burner Auditing
Steve Grubb
sgrubb at redhat.com
Tue Apr 22 20:43:58 UTC 2014
On Tuesday, April 22, 2014 04:02:47 PM Steve Grubb wrote:
> > You can use audit dispatcher to react to audit events.... When u get a
> > MOUNT event you can see where sr0 is mounted and start a new watch for
> > that
> > path. If you are not writing an ISO I think it has to be mounted.
>
> I think hooking the udev rules might be better. This would let you check
> for hot plug events where something is not yet mounted.
A long time ago during the RHEL5 LSPP certification, there was a project
created to help audit device allocation:
http://sourceforge.net/projects/devallocator/
There were 2 audit events created to assist in this. But if I recall, there
was a decision made to not support hot plug events. I forget why. The main
thing is that the code has the event in it formatted correctly. udev could be
patched to provide this event.
-Steve
More information about the Linux-audit
mailing list