Monitoring of linux containers

Hello, First, let me give you a bit of context about what we are trying to do. Basically, we are working on a monitoring solution for linux containers based on audit. The idea is logging all the syscalls executed within certain container and take metrics, that are compared with a baseline in order to find anomalies on the executed services. For instance, take as example a micro-service running within a container, if suddenly we see a clone, followed by an execve of "/bin/sh", this should be detected and actions would be taken automatically. The thing is that to accomplish this, we need to create an audit rule that allows to filter only those system calls executed in the context of the monitored containers. For this, I can think on two possible ways: 1. By PID: Creating a rule like "filter all the syscalls executed by the process with PID X and all its current and future children". 2. By namespace: It would be great to be able to create a rule that filters all the syscalls executed under a given list of namespaces, in this case, those corresponding to the monitored container. But, after reading the audit's documentation, looks like right now any of these options are supported without applying some unofficial patch. A work-around would be to automatically add a new rule per new child, but the new processes wouldn't be monitoring the time since its start until the creation the rule, causing race conditions (creation of a new child, that would not be detected, etc.) Are you aware of some other option that would allow what we need? Thanks in advance. Regards, Roi