Re: EXT :Re: CD Burner Auditing
For what it's worth, I believe one possible solution for this would be a
table in the kernel that maintains a list of currently attached
removable media. Perhaps this could be an extension of udev. One point
though, the definition of what is 'removable' would need to be
configurable.
Once such a table exists, a auditing control could be to record all
files read or written to devices found in this table. This would cover
the use cases of files written to mounted devices and those to a raw
device via say, dd.
See https://bugzilla.redhat.com/show_bug.cgi?id=967241 for a feature
request marker for this requirement.
Rgds
On Tue, 2014-04-22 at 16:43 -0400, Steve Grubb wrote:
On Tuesday, April 22, 2014 04:02:47 PM Steve Grubb wrote:
> > You can use audit dispatcher to react to audit events.... When u get a
> > MOUNT event you can see where sr0 is mounted and start a new watch for
> > that
> > path. If you are not writing an ISO I think it has to be mounted.
>
> I think hooking the udev rules might be better. This would let you check
> for hot plug events where something is not yet mounted.
A long time ago during the RHEL5 LSPP certification, there was a project
created to help audit device allocation:
http://sourceforge.net/projects/devallocator/
There were 2 audit events created to assist in this. But if I recall, there
was a decision made to not support hot plug events. I forget why. The main
thing is that the code has the event in it formatted correctly. udev could be
patched to provide this event.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit