Audit rule gets removed when unmounting the filesystem.

Solution Verified - Updated -

Issue

Audit rule gets removed when unmounting the filesystem.

In this example:
Mount point is "/share"
Audited directory is "/share/test"

1.Mount /share.

[root@localhost ~]# mount /dev/sdb1 /share

[root@localhost ~]# df
Filesystem            1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel-root  10258432 1581312   8677120  16% /
devtmpfs                 495420       0    495420   0% /dev
tmpfs                    507512       0    507512   0% /dev/shm
tmpfs                    507512     548    506964   1% /run
tmpfs                    507512       0    507512   0% /sys/fs/cgroup
/dev/sda1               1038336  135224    903112  14% /boot
tmpfs                    101504       0    101504   0% /run/user/0
/dev/sdb1                519844   26384    493460   6% /share

2.Restart auditd service.

[root@localhost ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

3.Confirm the created rule.

[root@localhost ~]# auditctl -l
-w /share/test -p r -k file_read

4.Umount /share.

[root@localhost ~]# umount /share

5.Confirm the rule again.

[root@localhost ~]# auditctl -l
No rules

The rule disappears even though the rule itself still remains in /etc/audit/audit.rules as below.

[root@localhost ~]# cat /etc/audit/audit.rules 
-w /root/test -p war -k file_monitor

Environment

  • Red Hat Enterprise Linux 7
  • audit

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content