A walkthrough on how to use the Forensics control in order to audit command and activities inside a container.
Step 1: Prerequisites
Ensure that you have deployed Aqua Enforcers into your cluster as the Forensic control is for a Container Runtime Policy [1, 3];
Step 1: Add the Forensic Control to the Container Runtime Policy
Go to the Aqua UI > Policies > Runtime Policies > Add Policy > Container Runtime Policy and add the Forensics control to the policy > Save your policy.
In this guide, we will add the Forensics control to the "Aqua default runtime policy" to demonstrate the feature;
Step 2: Exec into a container and enter a command
Once your policy has been saved with the control, to demonstrate that commands entered in the container. are audited -- use the kubectl utility to exec into a container.
In this guide, the Sock shop microservices demo  was deployed in the cluster. We will exec into a rabbitmq container and run the command "lsblk" and exit from the container;
$ kubectl exec -it rabbitmq-7764597b7b-kzs9d -n sock-shop -- /bin/sh
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sdb 8:16 0 8G 0 disk
`-sdb1 8:17 0 8G 0 part
sr0 11:0 1 690K 0 rom
sda 8:0 0 100G 0 disk
|-sda14 8:14 0 4M 0 part
|-sda15 8:15 0 106M 0 part
`-sda1 8:1 0 99.9G 0 part /etc/aquasec/policy
Step 3: Review the audit logs in the Aqua Console.
Go to the Aqua UI > Audit > filter using the ["Pod Name"] > rabbitmq-7764597b7b-kzs9d > and review the events that have been audited, specifically the "file exec". Upon clicking on the audit event, you will notice the recorded details of the command "lsblk";
As we had also checked the "Audit all network activity" option that was in the Forensic control, you can also review network activity from the said container - as rabbitmq is a message broker, the number of network activity events will be very high;