So I've been looking at ways to audit when a form of external media performs writes/ uploads on a Linux system. Currently the main solution I have come across is to simply audit when the mount and unmount syscalls occur, as tracking writes may excessively fill the log files (this should not be a problem for my situation). My current attempt at reading writes from external media is as follows:
-w /media/ -p rwxa -k external_media
However I found that this solution doesn't work since -w does not travel into newly inserted mounted directories. I also looked into the -q option, but since I won't know the name of the mounted directory beforehand, I don't know how to give the -q option the subtree/ mount directory name. Any ideas?
TL;DR In auditd, is there a good way to refresh a rule's watch directory when a new mount point is placed inside said directory?
UPDATE: I'm attempting to use -R /etc/audit/audit.rules in my mounting rule so that whenever I find a new mount/ unmount my rule list will be reapplied with the watched directory including the subtrees of the mounted directory, but I am given the following error
Error - nested rule files not supported
Which I am assuming is because I'm trying to -R /etc/audit/audit.rules inside that very same file, though I could be wrong. Is there a workaround for this so that rules can be reapplied automatically upon some audit event occurring? I'm not sure if this will fix the problem, however, because I do not know if -R will actually enforce the new rules right away, or will wait until the auditd service is restarted instead.
