Thank you for supporting the Cloud Customer Connect Community in 2024. It's a gift to work with you!

Look back
You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

How to Determine Which User or Process is Mounting or Unmounting Devices Using auditd

Applies To:

Oracle Cloud Infrastructure

Oracle Linux OS 

Question

How to determine which user or process is mounting or unmounting devices using the auditd service?

Solution

Enable auditctl to monitor when an unmount operation is performed and make it persistent across reboot.

1) Add the following rule in the file /etc/audit/rules.d/audit.rules to audit mount and umount operations.

If you are using a 64-bit architecture, ensure umount2 is used instead of umount:

# vi /etc/audit/rules.d/audit.rules
-a always,exit -F arch=b32 -S umount -S umount2 -F key=umount
-a always,exit -F arch=b64 -S umount2 -F key=umount

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!