From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Boyce, Kevin P. (AS)" <kevin.boyce@ngc.com>
Subject: Re: EXT :Re: CD Burner Auditing
Date: Tue, 22 Apr 2014 15:35:15 -0400
Message-ID: <5356C473.2040601@ngc.com>
References: <5356BF94.6050901@ngc.com>
	<CAAnai+XFQ+fW4J8ZhY4mXFcS_gVvj59PEHc3mYuFmRe116r8iA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3724700495337015213=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id s3MJZwCD013663
	for <linux-audit@redhat.com>; Tue, 22 Apr 2014 15:35:58 -0400
Received: from xspv0103.northgrum.com (xspv0103.northgrum.com [134.223.120.78])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3MJZuID031825
	for <linux-audit@redhat.com>; Tue, 22 Apr 2014 15:35:57 -0400
In-Reply-To: <CAAnai+XFQ+fW4J8ZhY4mXFcS_gVvj59PEHc3mYuFmRe116r8iA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Satish Chandra Kilaru <iam.kilaru@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============3724700495337015213==
Content-Type: multipart/alternative;
	boundary="------------040202010908000906090602"

--------------040202010908000906090602
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit

Hmm.  That is an interesting thought, but I would think there is no 
filesystem that would be able to be mounted until the user has written 
something to the disc first. In other words I don't believe blank media 
gets mounted as part of the burning process (at least not in my 
experience anyways--maybe I'd need to turn some feature on for that?).

Kevin

On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
> One way is to watch for the main folder where /dev/sr0 is mounted. 
> That way everything under that is watched.
> If an ISO is burned then we cannot know what is inside that ISO.
>
> An alternative is to watch access to known sensitive files on the 
> machine (whose cd burner you want to watch). and known burning 
> commands. That way you know who is accessing sensitive content. If the 
> same login session generates events for these files and programs they 
> might be burning sensitive files.
>
>
> On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS) 
> <kevin.boyce@ngc.com <mailto:kevin.boyce@ngc.com>> wrote:
>
>     Does anyone know if it is possible to audit what filenames users
>     are burning to optical media?
>
>     I suppose I can put a watch on the /dev/sr0 device for write
>     events, but this does not give me any idea what was written to the
>     disc.  I suppose I could also set an execve watch all burner
>     programs, eg. /usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
>     /usr/bin/cdrdao /usr/bin/dvdrecord,  to know if someone opened the
>     burning interface; but how could I tell what it was they were writing?
>
>     Any suggestions are welcome.
>
>     Kevin
>
>     --
>     Linux-audit mailing list
>     Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
>     https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
> -- 
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>


--------------040202010908000906090602
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by mx5-phx2.redhat.com id s3MJa001023374

<html>
  <head>
    <meta content=3D"text/html; charset=3DUTF-8" http-equiv=3D"Content-Ty=
pe">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">Hmm.=C2=A0 That is an interesting thou=
ght,
      but I would think there is no filesystem that would be able to be
      mounted until the user has written something to the disc first.=C2=A0
      In other words I don't believe blank media gets mounted as part of
      the burning process (at least not in my experience anyways--maybe
      I'd need to turn some feature on for that?). <br>
      <br>
      Kevin<br>
      <br>
      On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:<br>
    </div>
    <blockquote
cite=3D"mid:CAAnai+XFQ+fW4J8ZhY4mXFcS_gVvj59PEHc3mYuFmRe116r8iA@mail.gmai=
l.com"
      type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DU=
TF-8">
      <div dir=3D"ltr">One way is to watch for the main folder where
        /dev/sr0 is mounted. That way everything under that is watched.
        <div>If an ISO is burned then we cannot know what is inside that
          ISO.</div>
        <div><br>
        </div>
        <div>An alternative is to watch access to known sensitive files
          on the machine (whose cd burner you want to watch). and known
          burning commands. That way you know who is accessing sensitive
          content. If the same login session generates events for these
          files and programs they might be burning sensitive files.</div>
      </div>
      <div class=3D"gmail_extra"><br>
        <br>
        <div class=3D"gmail_quote">On Tue, Apr 22, 2014 at 3:14 PM, Boyce=
,
          Kevin P. (AS) <span dir=3D"ltr">&lt;<a moz-do-not-send=3D"true"
              href=3D"mailto:kevin.boyce@ngc.com" target=3D"_blank">kevin=
.boyce@ngc.com</a>&gt;</span>
          wrote:<br>
          <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Does
            anyone know if it is possible to audit what filenames users
            are burning to optical media?<br>
            <br>
            I suppose I can put a watch on the /dev/sr0 device for write
            events, but this does not give me any idea what was written
            to the disc. =C2=A0I suppose I could also set an execve watch=
 all
            burner programs, eg. /usr/bin/k3b /usr/bin/brasero
            /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord, =C2=A0t=
o
            know if someone opened the burning interface; but how could
            I tell what it was they were writing?<br>
            <br>
            Any suggestions are welcome.<br>
            <br>
            Kevin<br>
            <br>
            --<br>
            Linux-audit mailing list<br>
            <a moz-do-not-send=3D"true"
              href=3D"mailto:Linux-audit@redhat.com" target=3D"_blank">Li=
nux-audit@redhat.com</a><br>
            <a moz-do-not-send=3D"true"
              href=3D"https://www.redhat.com/mailman/listinfo/linux-audit=
"
              target=3D"_blank">https://www.redhat.com/mailman/listinfo/l=
inux-audit</a><br>
          </blockquote>
        </div>
        <br>
        <br clear=3D"all">
        <div><br>
        </div>
        -- <br>
        Please Donate to <a moz-do-not-send=3D"true"
          href=3D"http://www.wikipedia.org">www.wikipedia.org</a>
      </div>
    </blockquote>
    <br>
  </body>
</html>

--------------040202010908000906090602--


--===============3724700495337015213==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 7bit


--===============3724700495337015213==--