EXT :Re: CD Burner Auditing

[Burn Alting]

Steve,

The main challenge for this solution is the definition of all audit
events that imply removable media has been attached.  Juraj's example of
monitoring for mount system calls covers the edge case of copying
to/from mounted devices (given you also identify removable devices
mounted as opposed to say network mounts), but it would not cover the
edge case of say dd'ing to a raw umounted device.

By the way, linking to
http://people.redhat.com/sgrubb/audit/reactive/reactive-audit-thesis.pdf
results in 

Forbidden

You don't have permission to
access /sgrubb/audit/reactive/reactive-audit-thesis.pdf on this server.

Rgds


On Tue, 2014-04-22 at 16:39 -0400, Steve Grubb wrote:
> On Tuesday, April 22, 2014 04:06:05 PM Steve Grubb wrote:
> > On Tuesday, April 22, 2014 03:44:45 PM Boyce, Kevin P. wrote:
> > > Does the audit subsystem have the ability to dynamically create new
> > > auditing rules using another event as the trigger?
> > 
> > There was a patch for a reactive plugin sent to the list a number of years
> > ago. The patch was too big and bounced, but I was cc'ed and have a copy. I
> > have not had the time to review it to see if its maintainable, supportable,
> > and exactly what I'd want. It's actually pretty well documented. I could
> > probably make it available off my people page since its too large for the
> > mail list.
> 
> http://people.redhat.com/sgrubb/audit/reactive/
> 
> I have not reviewed the patch. I don't know if it still compiles or needs 
> changes. I am very interested in the topic of being able to load more rules to 
> watch something closer when certain things occur. If you look at the pdf, one 
> of the use cases it assists in is auditing files on removable media.
> 
> I would like to hear feedback on this patch to see what others think.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit