So the ask here is that how do we determine which user or system process is umounting or mounting a particular mount point. The mounting and umounting of a mount point can be monitored with the help of auditd. auditd is a userspace component to the Linux auditing system. This means that system users will be able to run auditd to configure rules and alerts for auditing functionality with the Linux system.
One of the best things about auditd is that it is tightly integrated with the kernel, so it gives us the power to monitor almost everything we want, really. By default, there are no rules that are configured. We need to write our rules in the /etc/audit/rules.d/audit.rules configuration file that will be read and the corresponding audit actions will be applied.
1. The auditd packages are a part of the default installation RHEL/CentOS 7 systems. We can verify it with the following command:
# rpm -qa | grep audit audit-libs-2.8.1-3.el7.x86_64 audit-libs-python-2.8.1-3.el7.x86_64 audit-2.8.1-3.el7.x86_64
2. If the package is not a part of our system, we can go ahead and install it:
# yum install audit
3. Make sure that the audit daemon is running. We will use the following command:
# systemctl status auditd ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2018-06-17 06:56:06 UTC; 2min 37s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 657 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 652 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 653 (auditd) Tasks: 2 CGroup: /system.slice/auditd.service └─653 /sbin/auditd
In case of CentOS/RHEL 6, you can use the service command to check the status of the auditd service:
# service auditd status
Configuring auditd Rules to Monitor mounting/umounting of Filesystems
Let us now configure the auditd rules required to monitor the mounting/umounting of filesystems.
1. Add the following rule in the file /etc/audit/rules.d/audit.rules audit mount and umount operations. Notice the name of umount SYCALL is umount2.
# vi /etc/audit/rules.d/audit.rules -a always,exit -F arch=b64 -S mount,umount2 -k mount_umount
-a – Appends rule to the end of list with action.
always,exit – are the actions specified with the -a option.
-S – stands for the SYSCALL (In uor case mount and umount2)
arch=b64 – specifies the rule for 64 bit architecture.
2. Restart the auditd service with “service” command:
# service auditd restart Stopping logging: [ OK ] Redirecting start to /bin/systemctl start auditd.service
1. Let us take the /data mount point as an example and see if we get audit logs generated on mounting/umounting this mount point.
# df -hP /data Filesystem Size Used Avail Use% Mounted on /dev/xvdf 976M 2.6M 907M 1% /data
2. Umount this mount point manually.
# umount /data
Monitor /var/log/audit/audit.log, look for messages similar to the ones below. The uid= and gid= sections as well as the pid= portion of the audit logs can help to determine the process or user issuing the command:
# tailf /var/log/audit/audit.log ... type=SYSCALL msg=audit(1529223527.639:881): arch=c000003e syscall=166 success=yes exit=0 a0=55a5863d3880 a1=0 a2=1 a3=7ffe52c22320 items=1 ppid=2930 pid=3335 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="umount" exe="/usr/bin/umount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="mount_umount" type=CWD msg=audit(1529223527.639:881): cwd="/root"
Going through /var/log/audit/audit.log can be overwhelming if you have a lot of things being audited in your server. Instead, you can use the command “ausearch” with the key defnied in the rule to filter out logs only related with mounting and umounting. For example:
# ausearch -k mount_umount ---- time->Sun Jun 17 08:18:47 2018 type=PROCTITLE msg=audit(1529223527.639:881): proctitle=756D6F756E74002F64617461 type=PATH msg=audit(1529223527.639:881): item=0 name="/data" inode=2 dev=ca:50 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(1529223527.639:881): cwd="/root" type=SYSCALL msg=audit(1529223527.639:881): arch=c000003e syscall=166 success=yes exit=0 a0=55a5863d3880 a1=0 a2=1 a3=7ffe52c22320 items=1 ppid=2930 pid=3335 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="umount" exe="/usr/bin/umount" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="mount_umount"
How to use auditd to monitor a file deletion in Linux
Understanding System auditing with auditd