Dear audit group,
I have docker containers running in k8s cluster, in one container there was 
issue reported that some specific file was lost but we didn't know who deleted 
the file or when the file got lost.
The worker node where container is located has auditd installed and running 
however container doesn't have auditd installed. My idea is to set up some 
audit rule to watch the specific file and see how it was deleted.
the problematic file in container:
[admin@1422dd6ae839 data]$ ls /data/foo.log
foo.log
[admin@1422dd6ae839 data]$ pwd
/data

Problem is that auditd is running in worker, therefore when I specify the rule 
for the file inside container, I'd give rule like following:
auditctl -w /data/foo.log
however this path doesn't exist in worker node so auditd would not be able to 
watch it.

I tried "nsenter" to enter the container mount namespace and add rule but since 
auditd is not running in container it could not work either.

Appreciate if someone could help me to find out a way to watch file inside 
container while auditd is running in worker node.

BR/Charles
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to