Linux Intrusion Detection System FAQ
PrevChapter 5. Configuring LIDSNext

5.6. If I protect /etc as read only, how will mount be able to write to /etc/mtab?

It won't. To fix this problem, you can remove the /etc/mtab file and replace it with a symbolic link to /proc/mounts. In order for this to work, you must modify your startup scripts to use the "-n" option with every mount and umount command. This tells mount and umount not to update the /etc/mtab file.

For example, if you find: 
mount -av -t nonfs,noproc
in your init scripts, you will need to change it to: 
mount -av -n -t nonfs,noproc
These mount commands may be scattered throughout your init scripts. Use grep to make sure you catch them all. You will also want to modify all of the umount commands in the same manner.

PrevHomeNext
If nothing is allowed to read my /etc/shadow file, how can I authenticate myself to the system?UpLIDS complains that it can't write to my modules.dep file during startup. What's wrong?