0

As you know, Linux Audit is not installed on Ubuntu Focal by default. I installed it, and my goal is to trace what containers do. I have this seccomp profile:

    {
    "defaultAction": "SCMP_ACT_LOG",
    "architectures": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
    ],
    "syscalls": []
    }

Then, in order to perform tracing, I start the container using the mentioned seccomp profile:

docker run --security-opt seccomp=seccomplog.json --rm -it ubuntu

I perform some operations, then get the trace from the container:

ausearch -m 1326

Everything good for now.

Then, I delete everything in /var/log/audit in order to trace another container. However, after running the new container with the mentioned seccomp profile, there still is no file in the Audit folder, meaning there is no log.

Why is there no new Audit log file anymore?

MoeKav
  • 1
  • 1

1 Answers1

0

Some of the logging systems are "touchy" about whether or not their log files exist: If the file does not, the log system often simply fails to log.

The simplest thing to do might be to sudo touch /var/log/audit/audit.log and restart auditd - I've had this work for other logging systems.

Going forward, rather than deleting /var/log/audit/audit.log you might want to force log rotation. Read up on logrotate, especially the force option. Generally speaking, each logging system has a logrotate configuration that ensures that any required files exist after rotation.

Peter Whittaker
  • 31
  • 4