I need to intercept who is writing to /var/run of one of my jails, however auditd is not available in jails.
Any possibilities to enable it somehow? I passed audit and auditpipe devs in jail, so I suppose it just not implemented. Maybe any workaround exists? I need to know who is deleting sock file for one of jail's daemons.
Code:
Error sending trigger: Function not implemented