In previous chapters, we looked at ensuring that containers ran with minimal permissions and saw how to catch and enforce anomalous behavior from containers. However, as any seasoned professional will tell you, security is far more than just enforcement.

Thanks to the clever design of the Linux kernel, there is a relatively straightforward way of monitoring precisely how your container runtime and orchestrator interact with their underlying hosts. It is possible to log not only every action that a system makes but in fact every system call (syscall), which occurs when a process requests something from the kernel, on a running system.

Why would you do this? There are at least two particularly good reasons. First, an audit trail offers you the ability to trace how an attacker compromised, or partially compromised, a container or a host. The forensic analysis that you can perform on such logs allows you to walk step-by-step through any event and, with enough understanding of what each step entails, retrace the footsteps of an attacker. Second, having such a high level of detailed operational data available to you can make performance tuning and application debugging possible. You can see exactly what an application is doing and then fine-tune it in response.

In this chapter, we will look at what is described as the “userspace component to the Linux Auditing System,” according to the man page. The venerable auditd is a way of interacting with the Linux ...