Support for CAP_AUDIT_READ kernel capability
Issue
- Running container on RHEL7 server gives below error:
# docker run -ti --rm --cap-add AUDIT_READ rhel7 /bin/sh
/usr/bin/docker-latest: Error response from daemon: linux spec capabilities: Unknown capability to add: "CAP_AUDIT_READ"
- Back-port
CAP_AUDIT_READ
capability in RHEL7 kernel? - elasticsearch Auditbeat requires netlink multicast audit message support in the kernel: https://www.elastic.co/guide/en/beats/auditbeat/master/auditbeat-module-auditd.html. This appears to be available in kernel 3.16 and later.
Environment
- Red Hat Enterprise Linux 7
- Software requiring
CAP_AUDIT_READ
such as Docker 1.12 or Elastic Search
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.