# audit in jails ?



## abishai (Nov 19, 2016)

I need to intercept who is writing to /var/run of one of my jails, however auditd is not available in jails.

```
Error sending trigger: Function not implemented
```
Any possibilities to enable it somehow? I passed audit and auditpipe devs in jail, so I suppose it just not implemented. Maybe any workaround exists? I need to know who is deleting sock file for one of jail's daemons.


----------



## ComradeSlice (Nov 21, 2016)

Impossible to audit within the jail. Keyword being "within." There are examples of auditing from the host. Try working off of this:

https://lists.freebsd.org/pipermail/freebsd-stable/2012-March/066615.html


----------

