Notes about DirectAudit support inside docker containers

 

  • Command line auditing can be supported in a docker. However, it is not recommended. One issue is that once you enable command auditing in a container, running dainfo in the host OS or any container shows that the command is enabled for auditing in all container and the host OS. However, this information is not correct. Command auditing is not supported in CoreOS and only works in containers where it is enabled.
  • Running dainfo in docker container will not show the status of Advanced Monitoring support. In addition, it shows the error message "Usable to send lrpc2 message: 406 (Socket error)"
  • Running "dacontrol -e/dacontrol -d" in the CoreOS host only enables/disables session auditing in the host. There is no effect inthe docker containers. If you want to enable/disable session auditing in individual container, run "dacontrol -e"/"dacontrol -d" in the container itself. By default, session auditing is automatically enabled in the docker container.
  • If auditing is required for any user, you MUST enable session auditing in both the host and docker container. Otherwise, such user will not be able to login to a container even though it is enabled just on the container.
  • Running dainfo in docker container only shows the session auditing status of the host, not that of the docker container. To check session auditing status in the container, search to see if centrifyda is defined in file /etc/nsswitch.conf in the container.