On Tuesday, April 22, 2014 03:39:14 PM Satish Chandra Kilaru wrote: > Even if there is a file system it may not be mounted on a known a folder. > But monitoring access of sensitive content and execution of burning > programs can provide clues.
You can use dd on devices that are not mounted. > You can use audit dispatcher to react to audit events.... When u get a > MOUNT event you can see where sr0 is mounted and start a new watch for that > path. If you are not writing an ISO I think it has to be mounted. I think hooking the udev rules might be better. This would let you check for hot plug events where something is not yet mounted. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
