trigger alert when a specified command executes in linux

Question

I have 3 samba shares mounted in my system, but suddenly, one of them gets umounted without my permision. Maybe one of houndreds of scripts which run in my crontab, but i dont know which one.

I've reviewed all /var/log directory looking for umount word without success, then i want to log when command umount is executed and which process is running it.

Maybe with syslog, maybe with another log, maybe a mail to my box....

Thanks a lot.

I have this software:

mount: mount-2.12q
mount.cifs version: 1.14-3.5.4

Answer 1

Since the mount is a change in the filesystem, maybe the inode-observer incron is a solution for you. Another option might be the auditd.

Answer 2

Unmounting does not only happen by calling the umount binary, many programs might do it. See the manual page (man syscalls) and search for umount. This said, you would have to hook the corresponding syscall and see who invokes it. I'm not sure, but most probably it's possible to disconnect inside the kernel by calling the corresponding method directly, so functionality might bypass the syscall interface which is mainly required for userspace interaction. In this case you would have to use some debugging technique on the kernel itself, which maybe is a little much for finding your problem!

You may have success using strace on an already running process (man strace), for example smbd, and see if this process invokes umount, which is quite possible.

Anyways, if you can recompile your kernel from source, you might add some printk message inside the function that is used to unmount a device to see which process did it (this would be my approach for cases where nothing else, including strace, helps).