Audit, lxc containers and logged paths

[Michele Giacomoli]

Got it. Thank you very much Richard

Il 30/06/2016 20:09, Richard Guy Briggs ha scritto:
> On 2016-06-30 19:27, Michele Giacomoli wrote:
>> Hello everybody,
> Hi Michele,
>
>> I need to watch folders inside unprivileged linux containers. From
>> what I know it's not possible to run audit inside a lxc guest, so I
>> set up audit inside the host to log access to dirs using absolute
>> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
>> giving a look at the logs I found that both the paths of the
>> executable and the path that has been accessed are relative to the
>> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
>> which is the container that generated the record. I could compare
>> the uid that generated it whith the uids set for the containers, but
>> it seems an ugly solution.
> General topics surrounding this sort of issue have been discussed on
> this list over the last couple of year.  The way things are currently
> set up you are correct in the current way to address this problem.  The
> kernel currently has no concept of containers.
>
>> Can audit be configured for logging the absolute paths, or give me a
>> hint of the container that generated the record?
> There have been some proposals to address this sort of challenge, but
> there is no consensus yet.  I'm doing a presentaiton at the Linux
> Security Summit in Toronto this year in August that will touch on some
> of these issues and how we might address them.  Some approaches document
> the namespaces of events and others allow audit to run in the container.
>
> (As to the follow-on reply, at this point the distribution is irrelevant
> since it isn't in the upstream kernel yet.)
>
>> Michele
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635