bottlerocket icon indicating copy to clipboard operation
bottlerocket copied to clipboard

Published 20 hours ago verified publisher icon bottlerocket-os

enable auditd in bottlerocket

Open sumeet-zuora opened this issue 1 year ago • 1 comments

So, we are using bottlerocket in AWS EKS and was wondering how we can enable auditd and setup https://docs.rapid7.com/insight-agent/auditd-compatibility-mode-for-linux-assets/

sumeet-zuora avatar Nov 22 '23 04:11 sumeet-zuora

Thanks for raising this issue. Unfortunately Auditd binary is not included in Bottlerocket. One reason is that Auditd doesn’t offer as much value to Bottlerocket due following reasons:

  • Bottlerocket uses dm-verity for its root filesystem image and SELinux to protect the system from security threats.
  • The root filesystem is immutable and cannot be directly modified by userspace processes.
  • There is no shell in Bottlerocket.
  • We have high level security goals for Bottlerocket listed here (https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_FEATURES.md).



Also As we can see here (https://docs.rapid7.com/insight-agent/operating-system/#how-to-run-the-insight-agent-on-an-unsupported-os) Bottlerocket OS is not listed as supported OS for Insight Agent. It might be worth asking if they have a different solution that could work with Bottlerocket that is container based like a Daemonset instead of an agent based solution in the hosting OS.

vyaghras avatar Nov 22 '23 18:11 vyaghras