0

I'm seeing a message from auditd I don't understand. My OS is Ubuntu 20.04.

Every time I boot the server, an audit entry says user id 1001 (a normal user) is making a syscall to /usr/bin/mount. But that user is me (the only interactive user on the machine) and I'm not mounting anything that I know about.

Any idea why a regular user (auid=1001) is implicated as the user making a mount call on boot?

message - formatted for easy reading

type=PATH msg=audit(08/08/2020 18:15:21.901:256) : 
  item=0 name=/usr/bin/mount inode=1207 dev=08:01 
  mode=file,suid,755 ouid=root ogid=root rdev=00:00

type=EXECVE msg=audit(08/08/2020 18:15:21.901:256) : argc=1 a0=mount

type=SYSCALL msg=audit(08/08/2020 18:15:21.901:256) : 
  arch=x86_64 syscall=execve success=yes exit=0 .....
  ppid=696 pid=697 auid=1001 uid=root gid=root euid=root 
  suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) 
  ses=1 comm=mount exe=/usr/bin/mount key=privileged_command
David Medinets
  • 113
  • 7
user450409
  • 125
  • 4
  • 16
  • I can't find anything being mounted by this user, so I don't know why user id 1001 would make a mount call on every boot. – user450409 Aug 08 '20 at 22:42
  • What's inode 1207? What was pid 696? – Michael Hampton Aug 08 '20 at 22:53
  • inode 1207 is the path /usr/bin/mount pid 696 was gone after boot – user450409 Aug 08 '20 at 23:02
  • Hm, maybe you should actually take a look at what is mounted? – Michael Hampton Aug 08 '20 at 23:11
  • It's quite likely. That mount happens when you log in (or user services start, if you have any). – Michael Hampton Aug 08 '20 at 23:27
  • mount -l does have something related: `tmpfs on /run/user/1001 type tmpfs (rw,nosuid,nodev,relatime,size=172336k,mode=700,uid=1001,gid=1002)` ran stat on /run/user/1001 and it is owned by the user 1001. Maybe that's the call that was made? – user450409 Aug 08 '20 at 23:30
  • Something is running `mount` with no arguments (argc=1). What other EXECVE entries for user 1001 occurred around this time? What command was pid 696 running? – Mark Plotnick Aug 09 '20 at 16:00
  • No other EXECVE for that user. I'm almost certain the answer is systemd is running mount on behalf of user id 1001 when it creates tmpfs on /run/user/1001. tty=(none) so I know it happened during boot, and I cleared the logs and watched this record come in. I'm all set. Thanks all. – user450409 Aug 10 '20 at 17:25

0 Answers0