1

I'm working on scripted monitoring of USB activity: file reads, writes, folder creations, etc. . Our codebase automatically sets up a mount point in: /media/usb/(mounted_usb_name), when a USB is inserted, and deletes this mount point when the USB is removed. I've configured auditd to watch /media/usb using the following rules:

-w /media/usb -p r -k USB_r
-w /media/usb -p w -k USB_w
-w /media/usb -p a -k USB_a
-w /media/usb -p x -k USB_x

... to be able to identify distinct types of activity in the auditd log.

This works fine for the most part; I'm able to see log activity for all kinds of operations in the mounted USB location. However, when I remove and re-plug the USB, causing the mount directory to be deleted and recreated via our codebase, auditd stops reporting any and all activity to the log.

There's no difference in owners or permissions between the two created mount points. I've also tried creating folders directly in /media/usb, deleting them, and recreating them, and auditd has no issue tracking these folders whenever present. I've checked syslog, but the only lead I've found there is the line:

"Volume was not properly unmounted. Some data may be corrupted. Please run fsck".

... which occurs when the usb is plugged in, rather than removed.

I've tried with multiple USBs and on two different machines. Behaviour is consistent. The only thing that seems to fix the issue is running:

systemctl restart auditd

... which isn't a good option for our goals.

I'd appreciate any help on this :)

shellter
  • 36,525
  • 7
  • 83
  • 90
southlakesvibes
  • 11
  • 1
  • Might be on-topic at [unix.se] – Machavity May 01 '23 at 17:21
  • you write *"...to be deleted and recreated via our codebase"* . It seems possible that the problem is in how you are doing that. Consider adding an [mcve] of your "codebase" so people look at that logic. (USB seems to be problematic for everyone that isn't steeped in it) . Good luck – shellter May 01 '23 at 17:58

0 Answers0