enable auditd in bottlerocket

[sumeet-zuora]

So, we are using bottlerocket in AWS EKS and was wondering how we can enable auditd and setup https://docs.rapid7.com/insight-agent/auditd-compatibility-mode-for-linux-assets/

[vyaghras]

Thanks for raising this issue. Unfortunately Auditd binary is not included in Bottlerocket. One reason is that Auditd doesn’t offer as much value to Bottlerocket due following reasons:

• Bottlerocket uses dm-verity for its root filesystem image and SELinux to protect the system from security threats.
• The root filesystem is immutable and cannot be directly modified by userspace processes.
• There is no shell in Bottlerocket.
• We have high level security goals for Bottlerocket listed here (https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_FEATURES.md).



Also As we can see here (https://docs.rapid7.com/insight-agent/operating-system/#how-to-run-the-insight-agent-on-an-unsupported-os) Bottlerocket OS is not listed as supported OS for Insight Agent. It might be worth asking if they have a different solution that could work with Bottlerocket that is container based like a Daemonset instead of an agent based solution in the hosting OS.