Detecting execution of files in rwtab
Kevin Sullivan
kevin4sullivan at gmail.com
Mon Oct 16 17:21:50 UTC 2017
Sorry if this topic has already been discussed, but I was unable to find
information about it in the mailing list.
I am running auditd on a machine that is configured with readonly-root
support. For this configuration to work, I have files listed in
/etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is
read-only.
So if I add an audit rule for a random file:
# auditctl -w /etc/rc.d/rc.local -p x -k rclocal
If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root),
running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local
and run it, an event will be generated.
How am I supposed to audit files that are mounted in tmpfs due to rwtab and
readonly-root?
Thanks,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171016/e78b037d/attachment.htm>
More information about the Linux-audit
mailing list