Configuration Files for Linux Agent reporting Read-Only Filesystem

Owned by Jake Cooke, created
Last updated: Oct 04, 2024
1 min read

 Problem

On some supported Linux platforms, depending on the system configuration and other security policies placed upon the machine, the directories used by the agent for storing configuration and, therefore, configuration files placed within are marked with a level of protection such that the agent is unable to save/write settings to disk.

This issue can be recognised by errors similar to:

Failed to save settings: Error to remove configuration file:/etc/audit/snare.conf (Read-only file system)

Affected Platforms

To date this issue has been observed on the following platforms:

  • SUSE Linux 15 SP4

 Solution

For platforms that support auditd version 3.0 or higher, the issue can be resolved by the following steps (as root or with sudo):

  1. Stop auditd service

    systemctl stop auditd

  2. Create a placeholder directory

    mkdir -p /opt/snare

  3. Modify the plugin configuration file /etc/audit/plugins.d/Snare-$PLATFORM-Agent.conf (Replace $PLATFORM with operating system, for example for SUSE 15 this path would be /etc/audit/plugins.d/Snare-SLED-15-Agent.conf) to match the following:

  4. Start auditd

This results in the agent using the provided path /opt/snare/snare.conf to hold its settings rather than the default of /etc/audit/snare.conf. Typically, this path is not restricted for applications to write to and ensures normal operation on affected systems.

For platforms that do not support auditd version 3.0 or higher, there is no solution to this problem other than finding the cause of the denial and resolving it external to the Snare Agent.