Sorry if this topic has already been discussed, but I was unable to find
information about it in the mailing list.
I am running auditd on a machine that is configured with readonly-root
support. For this configuration to work, I have files listed in
/etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is
read-only.
So if I add an audit rule for a random file:
# auditctl -w /etc/rc.d/rc.local -p x -k rclocal
If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root),
running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local
and run it, an event will be generated.
How am I supposed to audit files that are mounted in tmpfs due to rwtab and
readonly-root?
Thanks,
Kevin