how to monitor file access inside container by auditd?

[charles xia]

Dear audit group,
I have docker containers running in k8s cluster, in one container there was issue reported that some specific file was lost but we didn't know who deleted the file or when the file got lost.
The worker node where container is located has auditd installed and running however container doesn't have auditd installed. My idea is to set up some audit rule to watch the specific file and see how it was deleted.
the problematic file in container:
[admin at 1422dd6ae839 data]$ ls /data/foo.log
foo.log
[admin at 1422dd6ae839 data]$ pwd
/data

Problem is that auditd is running in worker, therefore when I specify the rule for the file inside container, I'd give rule like following:
auditctl -w /data/foo.log
however this path doesn't exist in worker node so auditd would not be able to watch it.

I tried "nsenter" to enter the container mount namespace and add rule but since auditd is not running in container it could not work either.

Appreciate if someone could help me to find out a way to watch file inside container while auditd is running in worker node.

BR/Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20231101/867b8866/attachment.htm>