* Monitoring data transfer from/to removable media to aid Data Loss Prevention (aka Endpoint DLP)
@ 2013-01-10 12:12 Burn Alting
0 siblings, 0 replies; only message in thread
From: Burn Alting @ 2013-01-10 12:12 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 642 bytes --]
All,
Has anyone done any research within the kernel to identify audit events
(ie syscalls) operating on files residing on removable media?
If say, we kept an in-core list of devices currently associated with
removable media, we could then extend the filetype auditd rule field to
include
a value for 'file on removable media'. With this we could monitor all
file opens/reads/writes etc on removable media and hence together
with udev could provide reasonable support for improving one's security
posture against Endpoint DLP.
Happy to do the research but would appreciate pointers if people have
gone down this path already.
Regards
Burn
[-- Attachment #1.2: Type: text/html, Size: 920 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-01-10 12:11 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-10 12:12 Monitoring data transfer from/to removable media to aid Data Loss Prevention (aka Endpoint DLP) Burn Alting
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox