How to detect and log changes in the list of mounted filesystems

Detect and log changes in the list of mounted filesystems (/proc/self/mountinfo file).

Create shell script that will poll for changes in the list of mounted filesystems and log these using logger utility.

$ cat << EOF | sudo tee /usr/sbin/mount-monit.sh
#!/bin/bash
# poll for changes in mounted filesystems and log these

SYSTEMD_PIDS=\$(ps -o pid= -C systemd)
SYSTEMD_IS_PARENT=0
MY_PARENT=\$(ps -o ppid= -p \$\$)

for PID in \$SYSTEMD_PIDS; do
  if [ "\$PID" -eq "\$MY_PARENT" ]; then
    SYSTEMD_IS_PARENT=1
  fi
done

# ensure that this script is executed by systemd
if [ "\$SYSTEMD_IS_PARENT" -eq "0" ]; then
  exit 1
fi

findmnt --poll | \\
  while read -r line; do \\
    echo \$line | \\
    awk '\$1 ~ /^(u|re)?mount|move/ {print \$0}' | \\
    logger --priority "local0.notice" --tag "mount-monitor"; \\
  done
EOF
#!/bin/bash
# poll for changes in mounted filesystems and log these

SYSTEMD_PIDS=$(ps -o pid= -C systemd)
SYSTEMD_IS_PARENT=0
MY_PARENT=$(ps -o ppid= -p $$)

for PID in $SYSTEMD_PIDS; do
  if [ "$PID" -eq "$MY_PARENT" ]; then
    SYSTEMD_IS_PARENT=1
  fi
done

# ensure that this script is executed by systemd
if [ "$SYSTEMD_IS_PARENT" -eq "0" ]; then
  exit 1
fi

findmnt --poll | \
  while read -r line; do \
    echo $line | \
    awk '$1 ~ /^(u|re)?mount|move/ {print $0}' | \
    logger --priority "local0.notice" --tag "mount-monit"; \
  done

Set executable bit.

$ sudo chmod +x /usr/sbin/mount-monit.sh

Create systemd service file.

$ cat << EOF | sudo tee /etc/systemd/system/mount-monit.service 
[Unit]
Description=Mount monitor

[Service]
Type=simple
Restart=always
RestartSec=30
ExecStart=/usr/sbin/mount-monit.sh

[Install]
WantedBy=multi-user.target
EOF
[Unit]
Description=Mount monitor

[Service]
Type=simple
Restart=always
RestartSec=30
ExecStart=/usr/sbin/mount-monit.sh

[Install]
WantedBy=multi-user.target

Reload systemd manager configuration.

$ sudo systemctl daemon-reload

Enable service at boot time.

$ sudo systemctl enable mount-monit.service

Start service.

$ sudo systemctl start mount-monit.service

Display service status.

$ sudo systemctl status mount-monit.service
● mount-monit.service - Mount monitor
   Loaded: loaded (/etc/systemd/system/mount-monit.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2017-12-10 16:31:50 CST; 7s ago
 Main PID: 10882 (mount-monit.sh)
    Tasks: 3 (limit: 4915)
   CGroup: /system.slice/mount-monit.service
           ├─10882 /bin/bash /usr/sbin/mount-monit.sh
           ├─10885 findmnt --poll
           └─10886 /bin/bash /usr/sbin/mount-monit.sh

Dec 10 16:31:50 debian systemd[1]: Started Mount monitor.

Sample mount operations and their corresponding log entries.

$ sudo mount -t tmpfs none /var/www/assets/
$ sudo mount -o remount,size=128M /var/www/assets/
$ sudo umount /var/www/assets 
Dec 10 16:53:23 debian mount-monitor: mount /var/www/assets none tmpfs rw,relatime
Dec 10 16:53:37 debian mount-monitor: remount /var/www/assets none tmpfs rw,relatime,size=131072k
Dec 10 16:56:34 debian mount-monitor: umount /var/www/assets none tmpfs rw,relatime,size=131072k

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system. He is also open for new opportunities and challenges.