On Tuesday, April 22, 2014 04:02:47 PM Steve Grubb wrote: > > You can use audit dispatcher to react to audit events.... When u get a > > MOUNT event you can see where sr0 is mounted and start a new watch for > > that > > path. If you are not writing an ISO I think it has to be mounted. > > I think hooking the udev rules might be better. This would let you check > for hot plug events where something is not yet mounted.
A long time ago during the RHEL5 LSPP certification, there was a project created to help audit device allocation: http://sourceforge.net/projects/devallocator/ There were 2 audit events created to assist in this. But if I recall, there was a decision made to not support hot plug events. I forget why. The main thing is that the code has the event in it formatted correctly. udev could be patched to provide this event. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
