Sorry if this topic has already been discussed, but I was unable to find information about it in the mailing list.

I am running auditd on a machine that is configured with readonly-root support. For this configuration to work, I have files listed in /etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is read-only.

So if I add an audit rule for a random file:

# auditctl -w /etc/rc.d/rc.local -p x -k rclocal

If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root), running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local and run it, an event will be generated.

How am I supposed to audit files that are mounted in tmpfs due to rwtab and readonly-root?

Thanks,

Kevin