RE: EXT :Re: [RFC] Create an audit record of USB specific details
Burn,
Hence my final comment below about well known devices and the desire
monitor open/openat/etc for write system calls on 'deemed removable media' ie one
day we could set up
auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F
dev=removable -k RMopen
And even when you try to figure this out for a CD it is next to impossible to know what is
written. If I remember correctly when running strace on wodim you don't ever see the
write() calls on the filenames. And instead, what if someone creates an iso image and
burns that to a DVD. You really have no way of knowing what is on that disc. When the
burn process is complete, the disc usually gets ejected, so the audit subsystem would
never even get a chance to evaluate the filesystem that was written to optical media.
Kevin