Burn,
> Hence my final comment below about well known devices and the desire monitor
> open/openat/etc for write system calls on 'deemed removable media' ie one day
> we could set up
auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable -k RMopen
And even when you try to figure this out for a CD it is next to impossible to
know what is written. If I remember correctly when running strace on wodim you
don't ever see the write() calls on the filenames. And instead, what if
someone creates an iso image and burns that to a DVD. You really have no way
of knowing what is on that disc. When the burn process is complete, the disc
usually gets ejected, so the audit subsystem would never even get a chance to
evaluate the filesystem that was written to optical media.
Kevin
N�����r��y����b�X��ǧv�^�){.n�+����{������^n�r���z����h�����&����G���h��(�階�ݢj"�����m������z�ޖ���f���h���~�m�
