From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: Monitoring data transfer from/to removable media to aid Data Loss
	Prevention (aka Endpoint DLP)
Date: Thu, 10 Jan 2013 23:12:19 +1100
Message-ID: <1357819939.19259.19.camel@swtf>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2962663866134384665=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r0ACBxl2015062
	for <linux-audit@redhat.com>; Thu, 10 Jan 2013 07:11:59 -0500
Received: from gateway.swtf.dyndns.org (203-219-87-38.static.tpgi.com.au
	[203.219.87.38])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r0ACBvt9004770
	for <linux-audit@redhat.com>; Thu, 10 Jan 2013 07:11:58 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by gateway.swtf.dyndns.org (Postfix) with ESMTP id 45EF324D005C
	for <linux-audit@redhat.com>; Thu, 10 Jan 2013 23:11:15 +1100 (EST)
Received: from [192.168.2.100] (unknown [192.168.2.100])
	by gateway.swtf.dyndns.org (Postfix) with ESMTP id 2FA7C24D0045
	for <linux-audit@redhat.com>; Thu, 10 Jan 2013 23:11:14 +1100 (EST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============2962663866134384665==
Content-Type: multipart/alternative; boundary="=-aDov6XrMg3DJFwKnPZBa"


--=-aDov6XrMg3DJFwKnPZBa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

All,

Has anyone done any research within the kernel to identify audit events
(ie syscalls) operating on files residing on removable media?

If say, we kept an in-core list of devices currently associated with
removable media, we could then extend the filetype auditd rule field to
include
a value for 'file on removable media'. With this we could monitor all
file opens/reads/writes etc on removable media and hence together
with udev could provide reasonable support for improving one's security
posture against Endpoint DLP.

Happy to do the research but would appreciate pointers if people have
gone down this path already.

Regards
Burn

--=-aDov6XrMg3DJFwKnPZBa
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.2.2">
</HEAD>
<BODY>
All,<BR>
<BR>
Has anyone done any research within the kernel to identify audit events&nbsp; (ie syscalls) operating on files residing on removable media?<BR>
<BR>
If say, we kept an in-core list of devices currently associated with removable media, we could then extend the filetype auditd rule field to include<BR>
a value for 'file on removable media'. With this we could monitor all file opens/reads/writes etc on removable media and hence together<BR>
with udev could provide reasonable support for improving one's security posture against Endpoint DLP.<BR>
<BR>
Happy to do the research but would appreciate pointers if people have gone down this path already.<BR>
<BR>
Regards<BR>
Burn
</BODY>
</HTML>

--=-aDov6XrMg3DJFwKnPZBa--


--===============2962663866134384665==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============2962663866134384665==--