Does anyone know if it is possible to audit what filenames users are
burning to optical media?
I suppose I can put a watch on the /dev/sr0 device for write events, but
this does not give me any idea what was written to the disc. I suppose
I could also set an execve watch all burner programs, eg. /usr/bin/k3b
/usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord,
to know if someone opened the burning interface; but how could I tell
what it was they were writing?
Any suggestions are welcome.
Kevin
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
