Container Linux includes auditctl and load /etc/audit/rules.d/* on boot. Journal collects and stores audit data.
The default rules in /etc/rules.d that are loaded on boot filter out everything. Users need to a) change audit.rules to only contain two rules that you posted, removing everything else from rules.d and restarting audit-rules.service or b) run
auditctl -w /usr/bin/docker -p x -k docker and
auditctl -w /run/torcx/bin/docker -p x -k docker
In order to confirm that the service is running without errors, run sudo systemctl restart audit-rules.service, sudo journalctl -f | grep audit and sudo auditctl -s.
Autitd should work with SELinux in Enforcing mode.
Is there a way to use auditd on coreos or we are stuck with using solely kauditd and have audit logs end up in the kernel messages ?
Please sign in to leave a comment.