From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: EXT :Re: CD Burner Auditing Date: Tue, 22 Apr 2014 16:43:58 -0400 Message-ID: <1904802.QI4G1AM2hm@x2> References: <5356BF94.6050901@ngc.com> <1884427.kS0bph9V2f@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-50-136.rdu2.redhat.com [10.10.50.136]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s3MKhwDv025031 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 22 Apr 2014 16:43:59 -0400 In-Reply-To: <1884427.kS0bph9V2f@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, April 22, 2014 04:02:47 PM Steve Grubb wrote: > > You can use audit dispatcher to react to audit events.... When u get a > > MOUNT event you can see where sr0 is mounted and start a new watch for > > that > > path. If you are not writing an ISO I think it has to be mounted. > > I think hooking the udev rules might be better. This would let you check > for hot plug events where something is not yet mounted. A long time ago during the RHEL5 LSPP certification, there was a project created to help audit device allocation: http://sourceforge.net/projects/devallocator/ There were 2 audit events created to assist in this. But if I recall, there was a decision made to not support hot plug events. I forget why. The main thing is that the code has the event in it formatted correctly. udev could be patched to provide this event. -Steve