How to audit mounted volume


New Member
I have to setup audit trailing in our company. Generally Linux's in-built tool auditd works fine, but the following keeps failing:

I have created a directory /media/server/ for the users to mount the server(s) on, so that each one can have their own
/media/server/user1, /media/server/user2 and so on.

Setting the audit rule like (I am omitting sudo)
auditctl -w /media/server/user1 -p wa -k user1_server
fails because the mount point doesn't exist before it has been created. If I create the mounting directory beforehand, the audit daemon
only listens to the directory before the server is mounted there.

The auditctl manual gives the switch -q for this, but I failed to understand its usage. I tried something like
auditctl -q /media/server/,/media/server/user1
but the daemon ignored the rule - it is not even printed when prompting

auditctl -l

after restarting the service. How does this work?


Super Moderator
Staff member
Gold Supporter
Beyond my paygrade, @MechWright but welcome to :)

Which Linux is your firm using?

Chris Turner
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Staff online