On Monday, October 16, 2017 1:21:50 PM EDT Kevin Sullivan wrote:
Sorry if this topic has already been discussed, but I was unable to
find
information about it in the mailing list.
I am running auditd on a machine that is configured with readonly-root
support. For this configuration to work, I have files listed in
/etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is
read-only.
So if I add an audit rule for a random file:
# auditctl -w /etc/rc.d/rc.local -p x -k rclocal
If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root),
running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local
and run it, an event will be generated.
How am I supposed to audit files that are mounted in tmpfs due to rwtab and
readonly-root?
I would like to help you, but I'm having a hard time figuring out what you are
talking about. Can you give the steps to reproduce the problem on a file in
some directory like /opt/bug-reproducer? List the shell commands needed to
setup the test environment, how to test it, and how you search to see that
nothing is there. That would make it easier for us to see the problem on our
own system and determine if there is a bug or logical explanation.
-Steve