From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: EXT :Re: CD Burner Auditing
Date: Tue, 22 Apr 2014 18:11:31 -0400 [thread overview]
Message-ID: <1441709.Q1RVjfmyXu@x2> (raw)
In-Reply-To: <1398204047.30383.17.camel@swtf.swtf.dyndns.org>
On Wednesday, April 23, 2014 08:00:47 AM Burn Alting wrote:
> Steve,
>
> The main challenge for this solution is the definition of all audit
> events that imply removable media has been attached.
These are all hotplug events. Udev should see them all.
> Juraj's example of monitoring for mount system calls covers the edge case of
> copying to/from mounted devices (given you also identify removable devices
> mounted as opposed to say network mounts), but it would not cover the
> edge case of say dd'ing to a raw umounted device.
>
> By the way, linking to
> http://people.redhat.com/sgrubb/audit/reactive/reactive-audit-thesis.pdf
> results in
Fixed. Thanks.
-Steve
> On Tue, 2014-04-22 at 16:39 -0400, Steve Grubb wrote:
> > On Tuesday, April 22, 2014 04:06:05 PM Steve Grubb wrote:
> > > On Tuesday, April 22, 2014 03:44:45 PM Boyce, Kevin P. wrote:
> > > > Does the audit subsystem have the ability to dynamically create new
> > > > auditing rules using another event as the trigger?
> > >
> > > There was a patch for a reactive plugin sent to the list a number of
> > > years
> > > ago. The patch was too big and bounced, but I was cc'ed and have a copy.
> > > I
> > > have not had the time to review it to see if its maintainable,
> > > supportable,
> > > and exactly what I'd want. It's actually pretty well documented. I could
> > > probably make it available off my people page since its too large for
> > > the
> > > mail list.
> >
> > http://people.redhat.com/sgrubb/audit/reactive/
> >
> > I have not reviewed the patch. I don't know if it still compiles or needs
> > changes. I am very interested in the topic of being able to load more
> > rules to watch something closer when certain things occur. If you look at
> > the pdf, one of the use cases it assists in is auditing files on
> > removable media.
> >
> > I would like to hear feedback on this patch to see what others think.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-04-22 22:11 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-22 19:14 CD Burner Auditing Boyce, Kevin P. (AS)
2014-04-22 19:32 ` Satish Chandra Kilaru
2014-04-22 19:35 ` EXT :Re: " Boyce, Kevin P. (AS)
2014-04-22 19:39 ` Satish Chandra Kilaru
2014-04-22 19:44 ` Boyce, Kevin P. (AS)
2014-04-22 19:55 ` Satish Chandra Kilaru
2014-04-22 20:06 ` Steve Grubb
2014-04-22 20:39 ` Steve Grubb
2014-04-22 22:00 ` Burn Alting
2014-04-22 22:11 ` Steve Grubb [this message]
2014-04-23 0:13 ` Josh
2014-04-22 20:02 ` Steve Grubb
2014-04-22 20:43 ` Steve Grubb
2014-04-22 21:52 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441709.Q1RVjfmyXu@x2 \
--to=sgrubb@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.