Question about setting watches in auto-mounted directories in RHEL 5.2

Taylor_Tad at emc.com Taylor_Tad at emc.com
Fri Nov 21 16:59:46 UTC 2008


I'd like to set a file system watch so that any activity in an
auto-mounted directory is audited.  It looks like just setting a watch
on a parent directory isn't sufficient.  For example, if I have
directory path  /dir1/dir2 and auto-mount something at
/dir1/dir2/mount-dir, setting a file system watch on /dir1/dir2 doesn't
detect activity in the auto-mounted subtree.  Looking at the auditctl
man page, it looks like I'd have to issue a command like "/sbin/auditctl
-q /dir1/dir2/mount-dir,/dir1/dir2" to tell the kernel to watch the
newly mounted file system as well.  Unfortunately, auto-mounts are,
well, automatic, so there's no one to issue that command.

 

Am I missing a better way to accomplish this goal?  Is my understanding
wrong?  Any help would be appreciated.  Thanks,

 

--Tad Taylor

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081121/fe392636/attachment.htm>


More information about the Linux-audit mailing list