On Mon, 2016-04-04 at 17:37 -0400, Steve Grubb wrote:
> On Monday, April 04, 2016 12:02:42 AM wmealing wrote:
> > I'm looking to create an audit trail for when devices are added or removed
> > from the system.
> >
> > The audit subsystem is a logging subsystem in kernel space that can be
> > used
what's connected or an
efficient means of working out if a device is 'removable' at system call
time.
In essence, I need to know if and how removable media is being used on
my systems. The definition of 'removable' is challenging, but my idea
would be for one to
On Tue, 2016-04-05 at 09:44 -0400, Greg KH wrote:
> On Tue, Apr 05, 2016 at 11:07:48PM +1000, Burn Alting wrote:
> > On Mon, 2016-04-04 at 14:53 -0700, Greg KH wrote:
> > > On Mon, Apr 04, 2016 at 02:48:43PM -0700, Greg KH wrote:
> > > > On Mon, Apr 04, 2016 at 05:33
monitor open/openat/etc for write system calls on 'deemed removable
media' ie one day we could set up
auditctl -F arch=b64 -a always,exit -S open -F a1&3 -F dev=removable
-k RMopen
Burn
> Kevin
>
> -Original Message-
> From: linux-audit-boun...@redhat.com [mailto
On Tue, 2016-04-05 at 14:42 +, Boyce, Kevin P (AS) wrote:
> Burn,
>
> > Hence my final comment below about well known devices and the desire
> > monitor open/openat/etc for write system calls on 'deemed removable media'
> > ie one day we could set up
> auditctl -F arch=b64 -a always,exit -
