Hi,
I'm currently trying to audit my host from my container, but when I mount my var,sys,proc to the container's /hostfs it doesn't affect anything, audit doesn't do anything with them.
For example, I can check my host's login events when my /var is mounted to the container's /var, but not when it's mounted to the /hostfs/var even tho I'm using "-system.hostfs=/hostfs".
I tried adding system.hostfs as option in config too, same result.
Maybe I'm doing something wrong?
Thanks in advance.
---
apiVersion: v1
kind: ConfigMap
metadata:
name: auditbeat-config
namespace: auditbeat
labels:
k8s-app: auditbeat
data:
auditbeat.yml: |-
auditbeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.dashboards.enabled: true
monitoring.enabled: false
processors:
- add_cloud_metadata:
- add_process_metadata:
match_pids: ['process.pid']
include_fields: ['container.id']
- add_kubernetes_metadata:
host: ${NODE_NAME}
default_indexers.enabled: false
default_matchers.enabled: false
indexers:
- container:
matchers:
- fields.lookup_fields: ['container.id']
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:localhost}:${ELASTICSEARCH_PORT:9200}']
---
apiVersion: v1
kind: ConfigMap
metadata:
name: auditbeat-daemonset-modules
namespace: auditbeat
labels:
k8s-app: auditbeat
data:
system.yml: |-
- module: system
datasets:
- host
- process
- login
- module: auditd
audit_rules: |
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: auditbeat
namespace: auditbeat
labels:
k8s-app: auditbeat
spec:
selector:
matchLabels:
k8s-app: auditbeat
template:
metadata:
labels:
k8s-app: auditbeat
spec:
serviceAccountName: auditbeat
terminationGracePeriodSeconds: 30
hostNetwork: true
hostPID: true
dnsPolicy: ClusterFirstWithHostNet
containers:
- name: auditbeat
image: docker.elastic.co/beats/auditbeat:7.14.0
args: [
"-c", "/etc/auditbeat.yml",
"-e",
"-system.hostfs=/hostfs",
]
env:
- name: ELASTICSEARCH_HOST
value: localhost
- name: ELASTICSEARCH_PORT
value: "9200"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
runAsUser: 0
capabilities:
add:
- 'SYS_PTRACE'
- 'CAP_SYS_ADMIN'
- 'CAP_NET_ADMIN'
- 'AUDIT_READ'
- 'AUDIT_WRITE'
- 'AUDIT_CONTROL'
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: var
mountPath: /hostfs/var
readOnly: true
- name: sys
mountPath: /hostfs/sys
readOnly: true
- name: proc
mountPath: /hostfs/proc
readOnly: true
- name: config
mountPath: /etc/auditbeat.yml
readOnly: true
subPath: auditbeat.yml
- name: modules
mountPath: /usr/share/auditbeat/modules.d
readOnly: true
- name: data
mountPath: /usr/share/auditbeat/data
- name: run-containerd
mountPath: /run/containerd
readOnly: true
volumes:
- name: var
hostPath:
path: /var
- name: sys
hostPath:
path: /sys
- name: proc
hostPath:
path: /proc
- name: config
configMap:
defaultMode: 0640
name: auditbeat-config
- name: modules
configMap:
defaultMode: 0640
name: auditbeat-daemonset-modules
- name: data
hostPath:
path: /var/lib/auditbeat-data
type: DirectoryOrCreate
- name: run-containerd
hostPath:
path: /run/containerd
type: DirectoryOrCreate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auditbeat
subjects:
- kind: ServiceAccount
name: auditbeat
namespace: auditbeat
roleRef:
kind: ClusterRole
name: auditbeat
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: auditbeat
labels:
k8s-app: auditbeat
rules:
- apiGroups: [""]
resources:
- nodes
- namespaces
- pods
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- replicasets
verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: auditbeat
namespace: auditbeat
labels:
k8s-app: auditbeat
---