Regarding Auditd fails to start
Paul Moore
paul at paul-moore.com
Wed Feb 3 12:57:52 UTC 2016
On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wed, 3 Feb 2016 15:34:09 +0530
> Sowndarya K <sowndaryak18 at gmail.com> wrote:
>> I am running docker container without privileges and now service
>> auditd start fails to execute even I add capabilities to docker.
>> please try to help me as early as possible
>
> If auditd is being run inside a container, then it has problems because
> the audit subsystem inside the kernel isn't container aware/namespaced.
> I have recently made changes to auditd in svn for the next release which
> allows auditd to run as a log _aggregator_ inside a container. This
> means it has no knowledge of events coming from within the container
> but can act as an aggregator for systems doing remote logging.
To add some commentary to this: we are not going to namespace the
audit subsystem like other subsystems, but making audit *aware* of
namespaces is on the todo list.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list