Linux Auditd monitoring of file operations in mounted folder

I have multi node kubernetes cluster and I would like to monitor file operations that are made by containers in mounted persistent volume. I found the all PV data are located at nodes in /var/lib/kubelet/pods/<container-uid>/volumes/<pv-name>/mount. So I have auditd rules like this:

-w /var/lib/kubelet/pods -p r -k fileops_cdr_read
-w /var/lib/kubelet/pods -p w -k fileops_cdr_write
-w /var/lib/kubelet/pods -p x -k fileops_cdr_exec
-w /var/lib/kubelet/pods -p a -k fileops_cdr_append

Containers are created and deleted dynamically, so I don't know the container-uid beforehand, so I can't set the specific rule for each container - that's the reason why I set monitoring for the parent folder.

When a container with mounted data exists before auditbeat deployment, then auditing works as expected. But if a container is created when the auditbeat is already deployed, then file operations in ../mount folder are not captured. After redeployment of auditbeat everything works as expected.

I investigated, when you manipulate data anywhere else than /mount folder, all events are audited. But no events are captured in /mount folder - when you don't restart auditbeat.

Is there any way how to achieve monitoring of mounted folder, when I don't know the container uid beforehand?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.