From: "Boyce, Kevin P. (AS)" <kevin.boyce@ngc.com>
To: Satish Chandra Kilaru <iam.kilaru@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: EXT :Re: CD Burner Auditing
Date: Tue, 22 Apr 2014 15:35:15 -0400 [thread overview]
Message-ID: <5356C473.2040601@ngc.com> (raw)
In-Reply-To: <CAAnai+XFQ+fW4J8ZhY4mXFcS_gVvj59PEHc3mYuFmRe116r8iA@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1861 bytes --]
Hmm. That is an interesting thought, but I would think there is no
filesystem that would be able to be mounted until the user has written
something to the disc first. In other words I don't believe blank media
gets mounted as part of the burning process (at least not in my
experience anyways--maybe I'd need to turn some feature on for that?).
Kevin
On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
> One way is to watch for the main folder where /dev/sr0 is mounted.
> That way everything under that is watched.
> If an ISO is burned then we cannot know what is inside that ISO.
>
> An alternative is to watch access to known sensitive files on the
> machine (whose cd burner you want to watch). and known burning
> commands. That way you know who is accessing sensitive content. If the
> same login session generates events for these files and programs they
> might be burning sensitive files.
>
>
> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS)
> <kevin.boyce@ngc.com <mailto:kevin.boyce@ngc.com>> wrote:
>
> Does anyone know if it is possible to audit what filenames users
> are burning to optical media?
>
> I suppose I can put a watch on the /dev/sr0 device for write
> events, but this does not give me any idea what was written to the
> disc. I suppose I could also set an execve watch all burner
> programs, eg. /usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
> /usr/bin/cdrdao /usr/bin/dvdrecord, to know if someone opened the
> burning interface; but how could I tell what it was they were writing?
>
> Any suggestions are welcome.
>
> Kevin
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> --
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>
[-- Attachment #1.2: Type: text/html, Size: 3443 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2014-04-22 19:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-22 19:14 CD Burner Auditing Boyce, Kevin P. (AS)
2014-04-22 19:32 ` Satish Chandra Kilaru
2014-04-22 19:35 ` Boyce, Kevin P. (AS) [this message]
2014-04-22 19:39 ` EXT :Re: " Satish Chandra Kilaru
2014-04-22 19:44 ` Boyce, Kevin P. (AS)
2014-04-22 19:55 ` Satish Chandra Kilaru
2014-04-22 20:06 ` Steve Grubb
2014-04-22 20:39 ` Steve Grubb
2014-04-22 22:00 ` Burn Alting
2014-04-22 22:11 ` Steve Grubb
2014-04-23 0:13 ` Josh
2014-04-22 20:02 ` Steve Grubb
2014-04-22 20:43 ` Steve Grubb
2014-04-22 21:52 ` Burn Alting
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5356C473.2040601@ngc.com \
--to=kevin.boyce@ngc.com \
--cc=iam.kilaru@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox