Sorry if this topic has already been discussed, but I was unable to find information about it in the mailing list.
I am running auditd on a machine that is configured with readonly-root support. For this configuration to work, I have files listed in /etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is read-only. So if I add an audit rule for a random file: # auditctl -w /etc/rc.d/rc.local -p x -k rclocal If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root), running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local and run it, an event will be generated. How am I supposed to audit files that are mounted in tmpfs due to rwtab and readonly-root? Thanks, Kevin
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
