Aaudit rule gets removed when unmounting the filesystem.

Solution Verified - Updated -

Issue

Audit rule gets removed when unmounting the filesystem.

In this example:
Mount point is "/share"
Audited directory is "/share/test"

1.Mount /share.

[root@localhost ~]# mount /dev/sdb1 /share

[root@localhost ~]# df
Filesystem            1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel-root  10258432 1581312   8677120  16% /
devtmpfs                 495420       0    495420   0% /dev
tmpfs                    507512       0    507512   0% /dev/shm
tmpfs                    507512     548    506964   1% /run
tmpfs                    507512       0    507512   0% /sys/fs/cgroup
/dev/sda1               1038336  135224    903112  14% /boot
tmpfs                    101504       0    101504   0% /run/user/0
/dev/sdb1                519844   26384    493460   6% /share

2.Restart auditd service.

[root@localhost ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

3.Confirm the created rule.

[root@localhost ~]# auditctl -l
-w /share/test -p r -k file_read

4.Umount /share.

[root@localhost ~]# umount /share

5.Confirm the rule again.

[root@localhost ~]# auditctl -l
No rules

The rule disappears even though the rule itself still remains in /etc/audit/audit.rules as below.

[root@localhost ~]# cat /etc/audit/audit.rules 
-w /root/test -p war -k file_monitor

Environment

  • Red Hat Enterprise Linux 7
  • audit

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In