Detecting execution of files in rwtab

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

* Detecting execution of files in rwtab
@ 2017-10-16 17:21 Kevin Sullivan
  2017-10-17  1:51 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Kevin Sullivan @ 2017-10-16 17:21 UTC (permalink / raw)
  To: linux-audit

[-- Attachment #1.1: Type: text/plain, Size: 730 bytes --]

Sorry if this topic has already been discussed, but I was unable to find
information about it in the mailing list.

I am running auditd on a machine that is configured with readonly-root
support. For this configuration to work, I have files listed in
/etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is
read-only.

So if I add an audit rule for a random file:

# auditctl -w /etc/rc.d/rc.local -p x -k rclocal

If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root),
running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local
and run it, an event will be generated.

How am I supposed to audit files that are mounted in tmpfs due to rwtab and
readonly-root?

Thanks,

Kevin

[-- Attachment #1.2: Type: text/html, Size: 960 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Detecting execution of files in rwtab
  2017-10-16 17:21 Detecting execution of files in rwtab Kevin Sullivan
@ 2017-10-17  1:51 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2017-10-17  1:51 UTC (permalink / raw)
  To: linux-audit

On Monday, October 16, 2017 1:21:50 PM EDT Kevin Sullivan wrote:
> Sorry if this topic has already been discussed, but I was unable to find
> information about it in the mailing list.
> 
> I am running auditd on a machine that is configured with readonly-root
> support. For this configuration to work, I have files listed in
> /etc/rwtab.d/ that need to be read-write, but are on my hard-drive that is
> read-only.
> 
> So if I add an audit rule for a random file:
> 
> # auditctl -w /etc/rc.d/rc.local -p x -k rclocal
> 
> If /etc/rc.d/rc.local is mounted in a tmpfs (because of readonly-root),
> running rc.local will not produce an event. If I unmount /etc/rc.d/rc.local
> and run it, an event will be generated.
> 
> How am I supposed to audit files that are mounted in tmpfs due to rwtab and
> readonly-root?

I would like to help you, but I'm having a hard time figuring out what you are 
talking about. Can you give the steps to reproduce the problem on a file in 
some directory like /opt/bug-reproducer? List the shell commands needed to 
setup the test environment, how to test it, and how you search to see that 
nothing is there. That would make it easier for us to see the problem on our 
own system and determine if there is a bug or logical explanation.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-10-17  1:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-16 17:21 Detecting execution of files in rwtab Kevin Sullivan
2017-10-17  1:51 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).