Audit, lxc containers and logged paths
Michele Giacomoli
michele.giacomoli at mynet.it
Thu Jun 30 17:40:09 UTC 2016
Sorry, forgot to mention:
Host is Ubuntu 14.04, while guests are different Ubuntu versions
Audit is installed from Ubuntu repos (version 1:2.3.2-2ubuntu1)
Thank you
Il 30/06/2016 19:27, Michele Giacomoli ha scritto:
> Hello everybody,
>
> I need to watch folders inside unprivileged linux containers. From
> what I know it's not possible to run audit inside a lxc guest, so I
> set up audit inside the host to log access to dirs using absolute path
> (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a
> look at the logs I found that both the paths of the executable and the
> path that has been accessed are relative to the container (i.e.
> /bin/ls and /etc/passwd), so I don't have a clue of which is the
> container that generated the record. I could compare the uid that
> generated it whith the uids set for the containers, but it seems an
> ugly solution.
>
> Can audit be configured for logging the absolute paths, or give me a
> hint of the container that generated the record?
>
> Best regards
> Michele
More information about the Linux-audit
mailing list