MechWright
New Member
I have to setup audit trailing in our company. Generally Linux's in-built tool auditd works fine, but the following keeps failing:
I have created a directory /media/server/ for the users to mount the server(s) on, so that each one can have their own
/media/server/user1, /media/server/user2 and so on.
Setting the audit rule like (I am omitting sudo)
auditctl -w /media/server/user1 -p wa -k user1_server
fails because the mount point doesn't exist before it has been created. If I create the mounting directory beforehand, the audit daemon
only listens to the directory before the server is mounted there.
The auditctl manual gives the switch -q for this, but I failed to understand its usage. I tried something like
auditctl -q /media/server/,/media/server/user1
but the daemon ignored the rule - it is not even printed when prompting
auditctl -l
after restarting the service. How does this work?
I have created a directory /media/server/ for the users to mount the server(s) on, so that each one can have their own
/media/server/user1, /media/server/user2 and so on.
Setting the audit rule like (I am omitting sudo)
auditctl -w /media/server/user1 -p wa -k user1_server
fails because the mount point doesn't exist before it has been created. If I create the mounting directory beforehand, the audit daemon
only listens to the directory before the server is mounted there.
The auditctl manual gives the switch -q for this, but I failed to understand its usage. I tried something like
auditctl -q /media/server/,/media/server/user1
but the daemon ignored the rule - it is not even printed when prompting
auditctl -l
after restarting the service. How does this work?
