I have tried this in both CentOS 7 and RHEL Atomic Host. Using ansible, I use the following, with the params containing valid values:
docker_container:
name: auditbeat
image: "{{ auditbeat_image }}:{{ auditbeat_version }}"
hostname: "{{ ansible_fqdn }}"
pull: yes
state: started
volumes: "{{ auditbeat_all_volumes }}"
privileged: true
pid_mode: host
command: auditbeat -e -c /etc/auditbeat/auditbeat.yml
And end up with:
[centos@beats-anha-node2 ~]$ sudo docker logs -f auditbeat
2018-02-26T11:54:17.466Z INFO instance/beat.go:468 Home path [/usr/share/auditbeat] Config path: [/usr/share/auditbeat] Data path: [/usr/share/auditbeat/data] Logs path: [/usr/share/auditbeat/logs]
2018-02-26T11:54:17.473Z INFO instance/beat.go:475 Beat UUID: 2a85d2d2- 19ef-45c0-90d9-8e80492144d6
2018-02-26T11:54:17.473Z INFO instance/beat.go:213 Setup Beat: auditbeat; Version: 6.2.2
2018-02-26T11:54:17.474Z INFO fileout/file.go:76 Initialized file output. path=/tmp/auditbeat/output max_size_bytes=10485760 max_backups=7 permissions=-rw-------
2018-02-26T11:54:17.474Z INFO pipeline/module.go:76 Beat name: beats-anha-node2.beans.io
2018-02-26T11:54:17.476Z INFO [auditd] auditd/audit_linux.go:65 auditd module is running as euid=0 on kernel=3.10.0-693.11.6.el7.x86_64
2018-02-26T11:54:17.477Z ERROR instance/beat.go:667 Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: failed sending request: connection refused
Using the following config(generated from yaml):
[centos@beats-anha-node2 ~]$ cat /etc/auditbeat/auditbeat.yml
auditbeat.modules:
- {audit_rules: '-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at
-F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at
-F exit=-EPERM -k access
', backlog_limit: 8196, failure_mode: silent, module: auditd, rate_limit: 0, resolve_ids: true}
- module: file_integrity
paths: [/bin, /usr/bin, /sbin, /usr/sbin, /etc]
name: beats-anha-node2.beans.io
output.file: {enable: true, filename: output, path: /tmp/auditbeat}
processors: {add_cloud_metadata: null, add_docker_metadata: null, add_locale: null}
I saw that Luq had the same error in his log.Luq's Thread Since I run as privileged, and using pid_mode: host
I was thinking it should work.