From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Boyce, Kevin P. (AS)" <kevin.boyce@ngc.com>
Subject: Re: EXT :Re: CD Burner Auditing
Date: Tue, 22 Apr 2014 15:44:45 -0400
Message-ID: <5356C6AD.6000000@ngc.com>
References: <5356BF94.6050901@ngc.com>	<CAAnai+XFQ+fW4J8ZhY4mXFcS_gVvj59PEHc3mYuFmRe116r8iA@mail.gmail.com>	<5356C473.2040601@ngc.com>
	<CAAnai+VKhuRJrP6gddJqn+HW8FgXiuqcO4VQeKip1JN=79Ew=Q@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7280747133916896851=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id s3MJkFo5017237
	for <linux-audit@redhat.com>; Tue, 22 Apr 2014 15:46:15 -0400
Received: from xspv0103.northgrum.com (xspv0103.northgrum.com [134.223.120.78])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s3MJkD3d017748
	for <linux-audit@redhat.com>; Tue, 22 Apr 2014 15:46:14 -0400
In-Reply-To: <CAAnai+VKhuRJrP6gddJqn+HW8FgXiuqcO4VQeKip1JN=79Ew=Q@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Satish Chandra Kilaru <iam.kilaru@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============7280747133916896851==
Content-Type: multipart/alternative;
	boundary="------------030800020305020208030202"

--------------030800020305020208030202
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit

Does the audit subsystem have the ability to dynamically create new 
auditing rules using another event as the trigger?

Any examples on how to implement that?

Kevin

On 04/22/2014 03:39 PM, Satish Chandra Kilaru wrote:
> Even if there is a file system it may not be mounted on a known a folder.
> But monitoring access of sensitive content and execution  of burning 
> programs can provide clues.
> You can use audit dispatcher to react to audit events.... When u get a 
> MOUNT event you can see where sr0 is mounted and start a new watch for 
> that path. If you are not writing an ISO I think it has to be mounted.
>
> On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <kevin.boyce@ngc.com 
> <mailto:kevin.boyce@ngc.com>> wrote:
>
>     Hmm.  That is an interesting thought, but I would think there is
>     no filesystem that would be able to be mounted until the user has
>     written something to the disc first. In other words I don't
>     believe blank media gets mounted as part of the burning process
>     (at least not in my experience anyways--maybe I'd need to turn
>     some feature on for that?).
>
>     Kevin
>
>     On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:
>>     One way is to watch for the main folder where /dev/sr0 is
>>     mounted. That way everything under that is watched.
>>     If an ISO is burned then we cannot know what is inside that ISO.
>>
>>     An alternative is to watch access to known sensitive files on the
>>     machine (whose cd burner you want to watch). and known burning
>>     commands. That way you know who is accessing sensitive content.
>>     If the same login session generates events for these files and
>>     programs they might be burning sensitive files.
>>
>>
>>     On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS)
>>     <kevin.boyce@ngc.com
>>     <javascript:_e(%7B%7D,'cvml','kevin.boyce@ngc.com');>> wrote:
>>
>>         Does anyone know if it is possible to audit what filenames
>>         users are burning to optical media?
>>
>>         I suppose I can put a watch on the /dev/sr0 device for write
>>         events, but this does not give me any idea what was written
>>         to the disc.  I suppose I could also set an execve watch all
>>         burner programs, eg. /usr/bin/k3b /usr/bin/brasero
>>         /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord,  to
>>         know if someone opened the burning interface; but how could I
>>         tell what it was they were writing?
>>
>>         Any suggestions are welcome.
>>
>>         Kevin
>>
>>         --
>>         Linux-audit mailing list
>>         Linux-audit@redhat.com
>>         <javascript:_e(%7B%7D,'cvml','Linux-audit@redhat.com');>
>>         https://www.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>>     -- 
>>     Please Donate to www.wikipedia.org <http://www.wikipedia.org>
>
>
>
> -- 
> Please Donate to www.wikipedia.org <http://www.wikipedia.org>


--------------030800020305020208030202
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by mx3-phx2.redhat.com id s3MJkH4X016508

<html>
  <head>
    <meta content=3D"text/html; charset=3DUTF-8" http-equiv=3D"Content-Ty=
pe">
  </head>
  <body bgcolor=3D"#FFFFFF" text=3D"#000000">
    <div class=3D"moz-cite-prefix">Does the audit subsystem have the
      ability to dynamically create new auditing rules using another
      event as the trigger?<br>
      <br>
      Any examples on how to implement that?<br>
      <br>
      Kevin <br>
      <br>
      On 04/22/2014 03:39 PM, Satish Chandra Kilaru wrote:<br>
    </div>
    <blockquote
cite=3D"mid:CAAnai+VKhuRJrP6gddJqn+HW8FgXiuqcO4VQeKip1JN=3D79Ew=3DQ@mail.=
gmail.com"
      type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DU=
TF-8">
      Even if there is a file system it may not be mounted on a known a
      folder.=C2=A0
      <div>But monitoring access of sensitive content and
        execution=C2=A0=C2=A0of=C2=A0burning programs can provide clues.<=
/div>
      <div>You can use audit dispatcher to react to audit events....
        When u get a MOUNT event you can see where sr0 is mounted and
        start a new watch for that path. If you are not writing an ISO I
        think it has to be mounted.<span></span><br>
        <br>
        On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) &lt;<a
          moz-do-not-send=3D"true" href=3D"mailto:kevin.boyce@ngc.com">ke=
vin.boyce@ngc.com</a>&gt;
        wrote:<br>
        <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor=3D"#FFFFFF" text=3D"#000000">
            <div>Hmm.=C2=A0 That is an interesting thought, but I would t=
hink
              there is no filesystem that would be able to be mounted
              until the user has written something to the disc first.=C2=A0
              In other words I don't believe blank media gets mounted as
              part of the burning process (at least not in my experience
              anyways--maybe I'd need to turn some feature on for
              that?). <br>
              <br>
              Kevin<br>
              <br>
              On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote:<br>
            </div>
            <blockquote type=3D"cite">
              <div dir=3D"ltr">One way is to watch for the main folder
                where /dev/sr0 is mounted. That way everything under
                that is watched.
                <div>If an ISO is burned then we cannot know what is
                  inside that ISO.</div>
                <div><br>
                </div>
                <div>An alternative is to watch access to known
                  sensitive files on the machine (whose cd burner you
                  want to watch). and known burning commands. That way
                  you know who is accessing sensitive content. If the
                  same login session generates events for these files
                  and programs they might be burning sensitive files.</di=
v>
              </div>
              <div class=3D"gmail_extra"><br>
                <br>
                <div class=3D"gmail_quote">On Tue, Apr 22, 2014 at 3:14
                  PM, Boyce, Kevin P. (AS) <span dir=3D"ltr">&lt;<a
                      moz-do-not-send=3D"true"
                      href=3D"javascript:_e(%7B%7D,'cvml','kevin.boyce@ng=
c.com');"
                      target=3D"_blank">kevin.boyce@ngc.com</a>&gt;</span=
>
                  wrote:<br>
                  <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">Doe=
s

                    anyone know if it is possible to audit what
                    filenames users are burning to optical media?<br>
                    <br>
                    I suppose I can put a watch on the /dev/sr0 device
                    for write events, but this does not give me any idea
                    what was written to the disc. =C2=A0I suppose I could
                    also set an execve watch all burner programs, eg.
                    /usr/bin/k3b /usr/bin/brasero /usr/bin/cdrecord
                    /usr/bin/cdrdao /usr/bin/dvdrecord, =C2=A0to know if
                    someone opened the burning interface; but how could
                    I tell what it was they were writing?<br>
                    <br>
                    Any suggestions are welcome.<br>
                    <br>
                    Kevin<br>
                    <br>
                    --<br>
                    Linux-audit mailing list<br>
                    <a moz-do-not-send=3D"true"
                      href=3D"javascript:_e(%7B%7D,'cvml','Linux-audit@re=
dhat.com');"
                      target=3D"_blank">Linux-audit@redhat.com</a><br>
                    <a moz-do-not-send=3D"true"
                      href=3D"https://www.redhat.com/mailman/listinfo/lin=
ux-audit"
                      target=3D"_blank">https://www.redhat.com/mailman/li=
stinfo/linux-audit</a><br>
                  </blockquote>
                </div>
                <br>
                <br clear=3D"all">
                <div><br>
                </div>
                -- <br>
                Please Donate to <a moz-do-not-send=3D"true"
                  href=3D"http://www.wikipedia.org" target=3D"_blank">www=
.wikipedia.org</a>
              </div>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
      <br>
      <br>
      -- <br>
      Please Donate to <a moz-do-not-send=3D"true"
        href=3D"http://www.wikipedia.org">www.wikipedia.org</a><br>
    </blockquote>
    <br>
  </body>
</html>

--------------030800020305020208030202--


--===============7280747133916896851==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 7bit


--===============7280747133916896851==--