• We did not send an email asking for donations - please read this post.

How to audit mounted volume

MechWright

New Member
Joined
Jun 2, 2020
Messages
4
Reaction score
1
Credits
52
I have to setup audit trailing in our company. Generally Linux's in-built tool auditd works fine, but the following keeps failing:

I have created a directory /media/server/ for the users to mount the server(s) on, so that each one can have their own
/media/server/user1, /media/server/user2 and so on.

Setting the audit rule like (I am omitting sudo)
auditctl -w /media/server/user1 -p wa -k user1_server
fails because the mount point doesn't exist before it has been created. If I create the mounting directory beforehand, the audit daemon
only listens to the directory before the server is mounted there.

The auditctl manual gives the switch -q for this, but I failed to understand its usage. I tried something like
auditctl -q /media/server/,/media/server/user1
but the daemon ignored the rule - it is not even printed when prompting

auditctl -l

after restarting the service. How does this work?
 


wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,843
Reaction score
6,676
Credits
29,104
Beyond my paygrade, @MechWright but welcome to linux.org :)

Which Linux is your firm using?

Chris Turner
wizardfromoz
 

wizardfromoz

Administrator
Staff member
Gold Supporter
Joined
Apr 30, 2017
Messages
7,843
Reaction score
6,676
Credits
29,104
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation

Members online


Latest posts

Top