For each dataset and auditbeat specific processors, the documentation should list the required privileges (e.g. must be root user?, required linux capabilities, must in in host namespace, etc). This will help users implement the least privileges in their deployments as well as understand what is needed when running Auditbeat in a container.

The Running in Docker topic should be updated to refer to these new sections.

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)