How to Determine Which User or Process is Mounting or Unmounting Devices Using auditd
in Linux
Applies To:
Oracle Cloud Infrastructure
Oracle Linux OS
Question
How to determine which user or process is mounting or unmounting devices using the auditd service?
Solution
Enable auditctl to monitor when an unmount operation is performed and make it persistent across reboot.
1) Add the following rule in the file /etc/audit/rules.d/audit.rules
to audit mount and umount operations.
If you are using a 64-bit architecture, ensure umount2 is used instead of umount:
# vi /etc/audit/rules.d/audit.rules -a always,exit -F arch=b32 -S umount -S umount2 -F key=umount -a always,exit -F arch=b64 -S umount2 -F key=umount
Tagged:
0