You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are trying to configure audit logs using auditctl in a Daemonset
We have provided the Daemonset with escalated permissions and trying to set up the following example audit rule sudo auditctl -w /etc/passwd -p wra -k identity
below screenshot is from the Daemonset
Expected behavior: When trying to read the /etc/passwd file, it should be detected and pushed to journald logs
Actual behavior:
The audit rule is applied, confirmed from the journald logs, but the logs are not audit pushed when the file /etc/passwd is accessed from root
The same is working fine from admin container or superpowered host containers
Suspicion is we are adding rules from the wrong PID namespace, please suggest PID from which we should execute these?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi Team,
We are trying to configure audit logs using auditctl in a Daemonset
We have provided the Daemonset with escalated permissions and trying to set up the following example audit rule
sudo auditctl -w /etc/passwd -p wra -k identity
below screenshot is from the Daemonset
Expected behavior: When trying to read the /etc/passwd file, it should be detected and pushed to journald logs
Actual behavior:
The audit rule is applied, confirmed from the journald logs, but the logs are not audit pushed when the file /etc/passwd is accessed from root
The same is working fine from admin container or superpowered host containers
Suspicion is we are adding rules from the wrong PID namespace, please suggest PID from which we should execute these?
Beta Was this translation helpful? Give feedback.
All reactions