From: "Boyce, Kevin P. (AS)" <kevin.boyce@ngc.com>
To: Satish Chandra Kilaru <iam.kilaru@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: EXT :Re: CD Burner Auditing
Date: Tue, 22 Apr 2014 15:35:15 -0400 [thread overview]
Message-ID: <5356C473.2040601@ngc.com> (raw)
In-Reply-To: <CAAnai+XFQ+fW4J8ZhY4mXFcS_gVvj59PEHc3mYuFmRe116r8iA@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1861 bytes --]
Hmm. That is an interesting thought, but I would think there is no
filesystem that would be able to be mounted until the user has written
something to the disc first. In other words I don't believe blank media
gets mounted as part of the burning process (at least not in my
experience anyways--maybe I'd need to turn some feature on for that?).
Kevin
On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
> One way is to watch for the main folder where /dev/sr0 is mounted.
> That way everything under that is watched.
> If an ISO is burned then we cannot know what is inside that ISO.
>
> An alternative is to watch access to known sensitive files on the
> machine (whose cd burner you want to watch). and known burning
> commands. That way you know who is accessing sensitive content. If the
> same login session generates events for these files and programs they
> might be burning sensitive files.
>
>
> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS)
> <kevin.boyce@ngc.com <mailto:kevin.boyce@ngc.com>> wrote:
>
> Does anyone know if it is possible to audit what filenames users
> are burning to optical media?
>
> I suppose I can put a watch on the /dev/sr0 device for write
> events, but this does not give me any idea what was written to the
> disc. I suppose I could also set an execve watch all burner
> programs, eg. /usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
> /usr/bin/cdrdao /usr/bin/dvdrecord, to know if someone opened the
> burning interface; but how could I tell what it was they were writing?
>
> Any suggestions are welcome.
>
> Kevin
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> --
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>
[-- Attachment #1.2: Type: text/html, Size: 3443 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2014-04-22 19:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-22 19:14 CD Burner Auditing Boyce, Kevin P. (AS)
2014-04-22 19:32 ` Satish Chandra Kilaru
2014-04-22 19:35 ` Boyce, Kevin P. (AS) [this message]
2014-04-22 19:39 ` EXT :Re: " Satish Chandra Kilaru
2014-04-22 19:44 ` Boyce, Kevin P. (AS)
2014-04-22 19:55 ` Satish Chandra Kilaru
2014-04-22 20:06 ` Steve Grubb
2014-04-22 20:39 ` Steve Grubb
2014-04-22 22:00 ` Burn Alting
2014-04-22 22:11 ` Steve Grubb
2014-04-23 0:13 ` Josh
2014-04-22 20:02 ` Steve Grubb
2014-04-22 20:43 ` Steve Grubb
2014-04-22 21:52 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5356C473.2040601@ngc.com \
--to=kevin.boyce@ngc.com \
--cc=iam.kilaru@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.