Configuring Audit logs on Bottlerocket

[soni-kanishk]

Hi Team,

We are trying to configure audit logs using auditctl in a Daemonset

We have provided the Daemonset with escalated permissions and trying to set up the following example audit rule sudo auditctl -w /etc/passwd -p wra -k identity

below screenshot is from the Daemonset

Expected behavior: When trying to read the /etc/passwd file, it should be detected and pushed to journald logs

Actual behavior:
The audit rule is applied, confirmed from the journald logs, but the logs are not audit pushed when the file /etc/passwd is accessed from root

The same is working fine from admin container or superpowered host containers

Suspicion is we are adding rules from the wrong PID namespace, please suggest PID from which we should execute these?

[dpavlov-smartling]

Hi,
I am not sure on which version of Bottlerocket you tested this, but it does work on AMI from SSM parameter /aws/service/bottlerocket/aws-ecs-2/x86_64/1.25.0/image_id

Example:

bash-5.1# auditctl -w /etc/passwd -p wra -k dddd
Old style watch rules are slower

bash-5.1# auditctl -l
-w /etc/passwd -p rwa -k dddd

bash-5.1# journalctl | grep dddd
Jan 16 17:14:10 dev-bottlerocket-test-i0a4a276a10a1df779.aws audit: CONFIG_CHANGE auid=1000 ses=1 subj=system_u:system_r:super_t:s0-s0:c0.c1023 op=add_rule key="dddd" list=4 res=1
Jan 16 17:14:10 dev-bottlerocket-test-i0a4a276a10a1df779.aws kernel: audit: type=1305 audit(1737047650.827:133): auid=1000 ses=1 subj=system_u:system_r:super_t:s0-s0:c0.c1023 op=add_rule key="dddd" list=4 res=1

bash-5.1# cat /etc/passwd
...

bash-5.1# journalctl | grep dddd
Jan 16 17:14:10 dev-bottlerocket-test-i0a4a276a10a1df779.aws audit: CONFIG_CHANGE auid=1000 ses=1 subj=system_u:system_r:super_t:s0-s0:c0.c1023 op=add_rule key="dddd" list=4 res=1
Jan 16 17:14:10 dev-bottlerocket-test-i0a4a276a10a1df779.aws kernel: audit: type=1305 audit(1737047650.827:133): auid=1000 ses=1 subj=system_u:system_r:super_t:s0-s0:c0.c1023 op=add_rule key="dddd" list=4 res=1
Jan 16 17:14:42 dev-bottlerocket-test-i0a4a276a10a1df779.aws audit[3479]: SYSCALL arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd0cc8289c a2=0 a3=0 items=1 ppid=3409 pid=3479 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cat" exe="/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/coreutils" subj=system_u:system_r:super_t:s0-s0:c0.c1023 key="dddd"
Jan 16 17:14:42 dev-bottlerocket-test-i0a4a276a10a1df779.aws kernel: audit: type=1300 audit(1737047682.176:134): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd0cc8289c a2=0 a3=0 items=1 ppid=3409 pid=3479 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cat" exe="/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/coreutils" subj=system_u:system_r:super_t:s0-s0:c0.c1023 key="dddd"

As you can see my attempt to read /etc/passwd was logged successfully:

Jan 16 17:14:42 dev-bottlerocket-test-i0a4a276a10a1df779.aws audit[3479]: SYSCALL arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd0cc8289c a2=0 a3=0 items=1 ppid=3409 pid=3479 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="cat" exe="/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/coreutils" subj=system_u:system_r:super_t:s0-s0:c0.c1023 key="dddd"