CD Burner Auditing
Satish Chandra Kilaru
iam.kilaru at gmail.com
Tue Apr 22 19:32:34 UTC 2014
One way is to watch for the main folder where /dev/sr0 is mounted. That way
everything under that is watched.
If an ISO is burned then we cannot know what is inside that ISO.
An alternative is to watch access to known sensitive files on the machine
(whose cd burner you want to watch). and known burning commands. That way
you know who is accessing sensitive content. If the same login session
generates events for these files and programs they might be burning
sensitive files.
On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS)
<kevin.boyce at ngc.com>wrote:
> Does anyone know if it is possible to audit what filenames users are
> burning to optical media?
>
> I suppose I can put a watch on the /dev/sr0 device for write events, but
> this does not give me any idea what was written to the disc. I suppose I
> could also set an execve watch all burner programs, eg. /usr/bin/k3b
> /usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord, to
> know if someone opened the burning interface; but how could I tell what it
> was they were writing?
>
> Any suggestions are welcome.
>
> Kevin
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Please Donate to www.wikipedia.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140422/3a8a907b/attachment.htm>
More information about the Linux-audit
mailing list