[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ffef94ad8d7a4770a4a192488a5be1c3@XCGVAG30.northgrum.com>
Date: Tue, 5 Apr 2016 14:42:11 +0000
From: "Boyce, Kevin P (AS)" <Kevin.Boyce@....com>
To: "burn@...f.dyndns.org" <burn@...f.dyndns.org>
CC: Greg KH <gregkh@...uxfoundation.org>,
"linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-audit@...hat.com" <linux-audit@...hat.com>
Subject: RE: EXT :Re: [RFC] Create an audit record of USB specific details
Burn,
> Hence my final comment below about well known devices and the desire monitor open/openat/etc for write system calls on 'deemed removable media' ie one day we could set up
auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable -k RMopen
And even when you try to figure this out for a CD it is next to impossible to know what is written. If I remember correctly when running strace on wodim you don't ever see the write() calls on the filenames. And instead, what if someone creates an iso image and burns that to a DVD. You really have no way of knowing what is on that disc. When the burn process is complete, the disc usually gets ejected, so the audit subsystem would never even get a chance to evaluate the filesystem that was written to optical media.
Kevin
Powered by blists - more mailing lists