Even if there is a file system it may not be mounted on a known a folder. But monitoring access of sensitive content and execution of burning programs can provide clues. You can use audit dispatcher to react to audit events.... When u get a MOUNT event you can see where sr0 is mounted and start a new watch for that path. If you are not writing an ISO I think it has to be mounted.
On Tuesday, April 22, 2014, Boyce, Kevin P. (AS) <[email protected]> wrote: > Hmm. That is an interesting thought, but I would think there is no > filesystem that would be able to be mounted until the user has written > something to the disc first. In other words I don't believe blank media > gets mounted as part of the burning process (at least not in my experience > anyways--maybe I'd need to turn some feature on for that?). > > Kevin > > On 04/22/2014 03:32 PM, Satish Chandra Kilaru wrote: > > One way is to watch for the main folder where /dev/sr0 is mounted. That > way everything under that is watched. > If an ISO is burned then we cannot know what is inside that ISO. > > An alternative is to watch access to known sensitive files on the > machine (whose cd burner you want to watch). and known burning commands. > That way you know who is accessing sensitive content. If the same login > session generates events for these files and programs they might be burning > sensitive files. > > > On Tue, Apr 22, 2014 at 3:14 PM, Boyce, Kevin P. (AS) > <[email protected]<javascript:_e(%7B%7D,'cvml','[email protected]');> > > wrote: > >> Does anyone know if it is possible to audit what filenames users are >> burning to optical media? >> >> I suppose I can put a watch on the /dev/sr0 device for write events, but >> this does not give me any idea what was written to the disc. I suppose I >> could also set an execve watch all burner programs, eg. /usr/bin/k3b >> /usr/bin/brasero /usr/bin/cdrecord /usr/bin/cdrdao /usr/bin/dvdrecord, to >> know if someone opened the burning interface; but how could I tell what it >> was they were writing? >> >> Any suggestions are welcome. >> >> Kevin >> >> -- >> Linux-audit mailing list >> [email protected]<javascript:_e(%7B%7D,'cvml','[email protected]');> >> https://www.redhat.com/mailman/listinfo/linux-audit >> > > > > -- > Please Donate to www.wikipedia.org > > > -- Please Donate to www.wikipedia.org
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
