Audit Framework and namespaces
Steve Grubb
sgrubb at redhat.com
Tue Dec 8 16:23:14 UTC 2015
On Tuesday, December 08, 2015 11:10:56 AM Richard Guy Briggs wrote:
> On 15/12/08, Gulland, Scott A wrote:
> > It took a month to get a Open Switch linux image put together that
> > contains the audit framework. I've just started playing with it and
> > have noticed that "auditd" exits with an error when running a docker
> > container. Open Switch uses a docker container with a linux image
> > which has a switch simulator that is used for development. Of
> > course the actual released environment is using real switch hardware
> > on a non-container based linux image. It appears that the audit
> > framework does not work in a docker container. Are there plans to
> > add support for containers or is there some magic instructions for
> > getting auditd to work in a container?
>
> I assume that docker containers at least spawn a PID namespace and
> attempt to use CAP_AUDIT_CONTROL, so that would explain why it won't
> work. As outlined in my first reply, there are ideas to support PID
> namespaces, but there is no detailed design yet.
>
> Again, the definition of a container comes into it as well, but we think
> we have a reasonable understanding of the needs of docker containers and
> have an idea how to get there. User namespaces are further off, but I
> don't believe they are needed for docker at this point.
And further to the point, right now, we don't want events from inside the
container going to the system audit daemon. It potentially has no idea what a
pid, network, uid, gid, or hostname maps to. These have to be resolved inside
the container and then aggregated at the system daemon or datacenter
aggregator.
-Steve
More information about the Linux-audit
mailing list