Audit Framework and namespaces

[Richard Guy Briggs]

On 15/12/08, Gulland, Scott A wrote:
> Thanks Richard.

Scott, glad to be of service.

> Your answer was indeed helpful.  I was assigned to work on Open Switch
> in late October and to investigate providing an audit trail feature.
> Open Switch is a Linux based embedded Network Operating System.
> After some resource on audit functionality on Linux, the obvious
> choice was to leverage the Audit Framework.  There was a question
> raised as to whether there was a name space incompatibility, but since
> Open Switch only uses network namespaces, that doesn't appear to be an
> issue.

So it should just work.

> What we need to do is log who did what for any operation that changes
> the switch configuration.   We have a variety of ways to modify the
> switch's configuration; REST, CLI, OVSDB API, and others.   We want to
> use the audit library calls to log these changes.   Is this
> reasonable?

I don't see a particular problem.  Jamal (Hadi Salim) was talking about
something similar for his FORCES work at Mojatatu.

>  It took a month to get a Open Switch linux image put together that
>  contains the audit framework.   I've just started playing with it and
>  have noticed that "auditd" exits with an error when running a docker
>  container.  Open Switch uses a docker container with a linux image
>  which has a switch simulator that is used for development.   Of
>  course the actual released environment is using real switch hardware
>  on a non-container based linux image.   It appears that the audit
>  framework does not work in a docker container.   Are there plans to
>  add support for containers or is there some magic instructions for
>  getting auditd to work in a container?

I assume that docker containers at least spawn a PID namespace and
attempt to use CAP_AUDIT_CONTROL, so that would explain why it won't
work.  As outlined in my first reply, there are ideas to support PID
namespaces, but there is no detailed design yet.  

Again, the definition of a container comes into it as well, but we think
we have a reasonable understanding of the needs of docker containers and
have an idea how to get there.  User namespaces are further off, but I
don't believe they are needed for docker at this point.

> Scott Gulland
> 916.785.1497
> HPE Networking, CEB R&D
> 
> 
> -----Original Message-----
> From: Richard Guy Briggs [mailto:rgb at redhat.com] 
> Sent: Tuesday, November 03, 2015 11:44 AM
> To: Gulland, Scott A
> Cc: linux-audit at redhat.com
> Subject: Re: Audit Framework and namespaces
> 
> On 15/11/03, Gulland, Scott A wrote:
> > Does the audit framework work with linux namespaces?
> 
> The quick answer is "Some".
> 
> I am not aware of any restrictions on running audit services in MNT, UTS or IPC namespaces.  The upstream kernel has support for running auditd in any network namespace.  Additionally, processes with CAP_AUDIT_WRITE (generally to send AUDIT_USER_* class messages) can send from any PID namespace, but auditd is not permitted to run anywhere other than in the initial PID namespace.  There is no support for any audit services from any USER namespace other than initial due to serious concerns with security, policy and experience still accumulating in that area.  There are expectations that this latter will be supported in the future, but that needs planning, execution and thorough testing.
> 
> I hope this helps answer your question.  I note you didn't ask about audit working in containers, which is a harder question to answer clearly due to the definition of "container".  The last point made in the paragraph above will get us closer to supporting audit services in Linux containers.
> 
> > Scott Gulland
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545