rolo - logging of apps for read-only root
-----------------------------------------

The idea of rolo is to log applications that try to write to the system
filesystems; these are applications that may fail if they attempt to
run on a system with read-only root.

REQUIREMENTS

rolo uses either the audit layer or systemtap.

  audit requirements: audit, audit daemon service (auditd) enabled

  systemtap requirements: systemtap, kernel-devel, kernel-debuginfo

The method that rolo uses is configurable via /etc/sysconfig/rolo.

HOW TO USE

Install the rolo packages, and the prerequisites for your backend
of choice.

  /sbin/rolo start
      Starts logging
  
  /sbin/rolo stop
      Stops logging
      
  /sbin/rolo report
      Reports what has currently been logged.

  /sbin/rolo build
      Builds the module for systemtap usage. 'start' will attempt
      to do this automatically if it's required.

  You can also boot with 'init=/sbin/rolo-init' to start the logging
  on bootup.

EXCEPTIONS

rolo comes with a list of paths to ignore attempts to write to (such
as /tmp, or /proc). This list is configurable via /etc/rolo/exceptions.


NOTES

To avoid excess noise, rolo should be stopped before running package
update tools, such as pup, pirut, or yum.

 SystemTap specific:

   SystemTap buffers events before writing them; you may need to run
   'rolo stop' before running 'rolo report' to get a full report.
   
   The SystemTap backend filters while running as well as when
   reporting; if you remove exceptions, you will need to rebuild
   the module with 'rolo build'.
   
   The SystemTap backend logs to a tmpfs file; this will use
   memory as time goes on.
   
 Audit specific:

   To use the audit backend on bootup (via rolo-init), you will need
   to remove the '-D' rule from /etc/audit.rules.

   The audit backend logs every usage of the open() syscall; this will
   cause the audit logs to become fairly large.