mirror of
https://github.com/linuxkit/linuxkit.git
synced 2025-09-13 21:59:55 +00:00
add an auditd container
Two things to note here: we unfortunately can't just exec audit, because something needs to load the rules in beforehand. Second, it also dies if it can't re-nice itself, so we have to give it CAP_SYS_NICE as well as the audit caps. I didn't add this to the default linuxkit.yml because the linuxkit/audit repo doesn't exist yet, but we should probably (?) do that. Additionally, we should provide the kernel parameter audit=1, otherwise according to auditd's man pages, we can't audit some early tasks. Closes #52 Signed-off-by: Tycho Andersen <tycho@docker.com>
This commit is contained in:
Tycho Andersen
12
pkg/auditd/audit.rules
Normal file
12
pkg/auditd/audit.rules
Normal file
@@ -0,0 +1,12 @@
|
||||
## First rule - delete all
|
||||
-D
|
||||
|
||||
## Increase the buffers to survive stress events.
|
||||
## Make this bigger for busy systems
|
||||
-b 8192
|
||||
|
||||
## This determine how long to wait in burst of events
|
||||
--backlog_wait_time 0
|
||||
|
||||
## Set failure mode to syslog
|
||||
-f 1
|
||||
Reference in New Issue
Block a user