Hmm.  That is an interesting thought, but I would think there is no 
filesystem that would be able to be mounted until the user has written 
something to the disc first. In other words I don't believe blank media 
gets mounted as part of the burning process (at least not in my 
experience anyways--maybe I'd need to turn some feature on for that?).

Kevin

On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
> One way is to watch for the main folder where /dev/sr0 is mounted. 
> That way everything under that is watched.
> If an ISO is burned then we cannot know what is inside that ISO.
>
> An alternative is to watch access to known sensitive files on the 
> machine (whose cd burner you want to watch). and known burning 
> commands. That way you know who is accessing sensitive content. If the 
> same login session generates events for these files and programs they 
> might be burning sensitive files.
>
>
> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS) 
> <kevin.boyce@ngc.com <mailto:kevin.boyce@ngc.com>> wrote:
>
>     Does anyone know if it is possible to audit what filenames users
>     are burning to optical media?
>
>     I suppose I can put a watch on the /dev/sr0 device for write
>     events, but this does not give me any idea what was written to the
>     disc.  I suppose I could also set an execve watch all burner
>     programs, eg. /usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
>     /usr/bin/cdrdao /usr/bin/dvdrecord,  to know if someone opened the
>     burning interface; but how could I tell what it was they were writing?
>
>     Any suggestions are welcome.
>
>     Kevin
>
>     --
>     Linux-audit mailing list
>     Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
>     https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> -- 
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>