I am trying to configure auditing for docker daemon as follows:
Add the line below to the /etc/audit/audit.rules file:
-w /usr/bin/dockerd -k docker
Then, restart the audit daemon using the following command:
service auditd restart
This gives the following error:
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only.
Using systemctl also doesn't work. Is there a workaround or a fix for this?
Updating RefuseManualStop to no in the /usr/lib/systemd/system/auditd.service
RefuseManualStop=no
Then reload the daemon as follows:
systemctl daemon-reload