All,

Has anyone done any research within the kernel to identify audit events  (ie syscalls) operating on files residing on removable media?

If say, we kept an in-core list of devices currently associated with removable media, we could then extend the filetype auditd rule field to include
a value for 'file on removable media'. With this we could monitor all file opens/reads/writes etc on removable media and hence together
with udev could provide reasonable support for improving one's security posture against Endpoint DLP.

Happy to do the research but would appreciate pointers if people have gone down this path already.

Regards
Burn