Goal is to use Linux's auditd to capture file copies from a folder after which a usb disk is auto mounted to, in RHEL-8.10.
Normally the usb disk is not mounted; I want to hot plug in the usb disk in for which it auto mounts to a folder, named /transfer for example, per this in /etc/fstab
UUID=12345 /transfer xfs defaults,nodev,nosuid,noexec,nofail 0 0 The audit rule is this
-w /transfer -p war -k USB_TRANSFER Per https://access.redhat.com/solutions/7050527 titled The audit rule is invalid when the folder in the rule is missing... speaks about that specifically - and my folder for the watch rule does exist just not contents of the folder until it gets mounted; the solution to this per redhat sucks frankly and doesn't elaborate and recognizes this as a problem but then says solution = yes that's what happens.
Auditing and capture of file copy will work if the audit service is started with the usb disk already mounted for which the contents of the /transfer already exist. Otherwise it won't capture copies in audit.log from anything under that folder per my testing.
Is there a way to use auditd to capture file copies from a usb mounted disk? Without having to restart auditd after the mount? Or a way to trigger a service auditd restart when a usb disk is mounted?
