Hi, I want to track file writes on a removable harddisk:
$ mount ... /dev/sda9 on /mnt/volatile_folder type ext4 (rw) ... $ cat /etc/audit/audit.rules ... -w /mnt/volatile_folder -p w -k folder ... External processes regularly unmount, format and mount /dev/sda9. Currently unmounting the device stops the auditd volatile_folder watcher and I have to restart auditd. Is there a better way? Thx + Best Fir
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
