Closed jarpy closed 7 years ago
Perhaps I just need to disable auditd.
EDIT: Nope, it's not even installed.
The kernel checks that the client
CAP_AUDIT_CONTROL
capability (when Auditbeat is operating as the primary userspace audit daemon)CAP_AUDIT_READ
capability (when Auditbeat is only listening to events on a multicast socket) [this is a new feature that hasn't merged yet and requires kernel 3.16+].So adding --pid=host --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ
should be sufficient to make Auditbeat work in a container.
Thanks! --pid=host
was, indeed, the required magic.
I started out with the capabilities you mentioned since I assumed they were the needed ones. After that, I added progressively more desperate (and insecure) options in a vain attempt to resolve the issue.
Confirming the required capabilities raises another interesting challenge, that you will "appreciate", @dliappis. We can't easily set CAP_AUDIT_READ
on the MetricbeatAuditbeat binary while buiding the image. Why? Because CAP_AUDIT_READ
was introduced in Linux 3.16, but the setcap
we have in Centos 7 was compiled with capability.h
from Linux 3.10. Nasty.
The Auditbeat image currently fails with 'operation not permitted' even when:
--privileged
--cap-add=ALL
)Very interesting. I feel like there's something I don't know about audit permissions. Any thoughts @andrewkroh?