Hello,

I’m trying to figure out how to configure the auditing service (auditctl) on the host (RHEL8) to audit the filesystem mounted by docker when spinning up a container.

In the mounted filesystems on the server I can see:

findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'
/
/boot
/storage
/var/lib/docker/fuse-overlayfs/f23d01a3df970a2ab39a19072c970f3f7266f0576647dbe3cc4f77189db5b33d/merged
/run/docker/netns/04209ad3220f

In the file /etc/audit/rules.d/00-priviledge_cmd.rules, I have manually set these rules:
I tried:
-a always,exit -F path=/var/lib/docker -F perm=x -F auid>=6000 -F auid!=-1 -k privileged

In the running configuration I can see the following has been applied:

auditctl -l | grep -i docker
-a always,exit -S all -F path=/var/lib/docker -F perm=x -F auid>=6000 -F auid!=-1 -F key=privileged

The security hardening control is failing because the following are not part of the running audit configuration:

PARTITION=/var/lib/docker/fuse-overlayfs/f23d01a3df970a2ab39a19072c970f3f7266f0576647dbe3cc4f77189db5b33d/merged                 

sudo find "${PARTITION}" -xdev -maxdepth 3 -perm /6000 -type f ! -fstype nfs ! -fstype nfs4 ! -fstype cifs ! -fstype smbfs ! -fstype gfs ! -fstype gfs2 ! -fstype safenetfs ! -fstype secfs ! -fstype gpfs
/var/lib/docker/fuse-overlayfs/f23d01a3df970a2ab39a19072c970f3f7266f0576647dbe3cc4f77189db5b33d/merged/usr/bin/gpasswd
/var/lib/docker/fuse-overlayfs/f23d01a3df970a2ab39a19072c970f3f7266f0576647dbe3cc4f77189db5b33d/merged/usr/bin/chage
/var/lib/docker/fuse-overlayfs/f23d01a3df970a2ab39a19072c970f3f7266f0576647dbe3cc4f77189db5b33d/merged/usr/bin/newgrp

I’ll be honest, I am not sure that I am doing this right.
I am hoping that someone who has gone through this before or has a better understanding of auditing, guide me as to how one would normally configure the auditing service to audit the filesystems mounted by docker?

Thank you to anyone giving this a thought.