From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Boyce, Kevin P. (AS)" <kevin.boyce@ngc.com>
Subject: CD Burner Auditing
Date: Tue, 22 Apr 2014 15:14:28 -0400
Message-ID: <5356BF94.6050901@ngc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com
	[10.5.110.18])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s3MJFLeK018050
	for <linux-audit@redhat.com>; Tue, 22 Apr 2014 15:15:21 -0400
Received: from xspv0103.northgrum.com (xspv0103.northgrum.com [134.223.120.78])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3MJFI2F019415
	for <linux-audit@redhat.com>; Tue, 22 Apr 2014 15:15:19 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Does anyone know if it is possible to audit what filenames users are 
burning to optical media?

I suppose I can put a watch on the /dev/sr0 device for write events, but 
this does not give me any idea what was written to the disc.  I suppose 
I could also set an execve watch all burner programs, eg. /usr/bin/k3b 
/usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord,  
to know if someone opened the burning interface; but how could I tell 
what it was they were writing?

Any suggestions are welcome.

Kevin