I’d like to set a file system watch so that any activity in an auto-mounted directory is audited. It looks like just setting a watch on a parent directory isn’t sufficient. For example, if I have directory path /dir1/dir2 and auto-mount something at /dir1/dir2/mount-dir, setting a file system watch on /dir1/dir2 doesn’t detect activity in the auto-mounted subtree. Looking at the auditctl man page, it looks like I’d have to issue a command like “/sbin/auditctl –q /dir1/dir2/mount-dir,/dir1/dir2” to tell the kernel to watch the newly mounted file system as well. Unfortunately, auto-mounts are, well, automatic, so there’s no one to issue that command.
Am I missing a better way to accomplish this goal? Is my understanding wrong? Any help would be appreciated. Thanks,