Regarding Auditd fails to start

Paul Moore paul at paul-moore.com
Wed Feb 3 14:27:49 UTC 2016 

On Wed, Feb 3, 2016 at 9:08 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wed, 3 Feb 2016 07:57:52 -0500
> Paul Moore <paul at paul-moore.com> wrote:
>
>> On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > On Wed, 3 Feb 2016 15:34:09 +0530
>> > Sowndarya K <sowndaryak18 at gmail.com> wrote:
>> >> I am running docker container without privileges and now service
>> >> auditd start fails to execute even I add capabilities to docker.
>> >> please try to help me as early as possible
>> >
>> > If auditd is being run inside a container, then it has problems
>> > because the audit subsystem inside the kernel isn't container
>> > aware/namespaced. I have recently made changes to auditd in svn for
>> > the next release which allows auditd to run as a log _aggregator_
>> > inside a container. This means it has no knowledge of events coming
>> > from within the container but can act as an aggregator for systems
>> > doing remote logging.
>>
>> To add some commentary to this: we are not going to namespace the
>> audit subsystem like other subsystems, but making audit *aware* of
>> namespaces is on the todo list.
>
> OK. Suppose I go out and rent a virtualized server with root access for
> my web site. Turns out the company that is leasing me time used
> containers as their method of virtualizing. my web site runs fine in a
> container so no big deal. However, as a customer, I would want access
> to the logs for my container directly in the container. As a matter of
> fact, its a PCI-DSS requirement to have access to those logs.
>
> I really think the audit system _has to be_ namespaced, somehow, for
> compliance reasons.

Having access to audit events generated inside a namespace (or set of
namespaces to be more specific), and only generated inside a namespace
(or set of ...), does not require the audit subsystem to be
namespaced; however, it does require the audit subsystem to recognize
namespaces and associate them with events so that they can be tagged
and routed accordingly.  Based on previous conversations, I suspect we
have the same goals/ideas and are just using different terminology.  I
wouldn't worry too much about it at this point as that work is still
in the early stages.

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list