EXT :Re: CD Burner Auditing
Steve Grubb
sgrubb at redhat.com
Tue Apr 22 20:02:47 UTC 2014
On Tuesday, April 22, 2014 03:39:14 PM Satish Chandra Kilaru wrote:
> Even if there is a file system it may not be mounted on a known a folder.
> But monitoring access of sensitive content and execution of burning
> programs can provide clues.
You can use dd on devices that are not mounted.
> You can use audit dispatcher to react to audit events.... When u get a
> MOUNT event you can see where sr0 is mounted and start a new watch for that
> path. If you are not writing an ISO I think it has to be mounted.
I think hooking the udev rules might be better. This would let you check for
hot plug events where something is not yet mounted.
-Steve
More information about the Linux-audit
mailing list