Separating Container(docker) Logs
Steve Grubb
sgrubb at redhat.com
Sat Mar 11 18:31:15 UTC 2017
On Friday, March 10, 2017 11:47:06 PM EST Wajih Ul Hassan wrote:
> I have been using Linux Audit Module for a while now especially in the
> context of container(docker) environment. I use SELinux MCS labels with
> docker --selinux-enabled to separate different container logs in auditd log
> stream. But this solution is very limited to SELinux enabled OS and cannot
> be ported to other systems like Ubuntu which uses AppArmour. So I am
> looking for some other way to separate each container logs in auditd log
> stream. If somebody can give me pointers or patches that makes
> auditd container aware it will be really helpful for me.
This is slowly being pulled together. This has to be done with common criteria
(CC) certifications in mind since pci-dss, STIG, various contracting language
all call out for or assume a common criteria certification. The first step in
this direction was in pulling together a specification for container management
events based on the virtualization protection profile.
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualization-Manager-Guest-Lifecycle-Events
The next step is to define what a container is and the use cases. From that we
can advance the specification for auditing as it relates to containers. We will
be digging into this soon. We can't really press forward without understanding
all the certification requirements and this may even take some committee work
to iron out the CC requirements. I'd hate to do something and then find out it
doesn't meet requirements and undo and redo how it works. That would be too
much disruption for utilities that might process the information.
So, I think the answer for right now is you have to use labels. But this will
get addressed in the coming months.
-Steve
More information about the Linux-audit
mailing list