"service auditd start" fails inside a container

Steve Grubb sgrubb at redhat.com
Thu Jul 19 18:53:32 UTC 2018 

On Thursday, July 19, 2018 2:16:39 PM EDT Venkata Neehar Kurukunda wrote:
> Hi,
> 
> I am writing this email to report an issue while using audit inside a
> docker container (with CentOS 7.5 as base layer). It installs fine, but,
> when I try to do service auditd start, it fails with the message"
> "Redirecting to /bin/systemctl start auditd.service Job for auditd.service
> failed because the control process exited with error code. See "systemctl
> status auditd.service" and "journalctl -xe" for details."
> 
> The output of the command, systemctl status auditd.service, is:
> "
> ● auditd.service - Security Auditing Service
>    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor
> preset: enabled) Active: failed (Result: exit-code) since Thu 2018-07-19
> 18:12:50 UTC; 2min 8s ago Docs: man:auditd(8)
>            https://github.com/linux-audit/audit-documentation
>   Process: 12119 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)
> Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Starting Security Auditing
> Service... Jul 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Started
> dispatcher: /sbin/audispd pid: 12122 Jul 19 18:12:50 wanly1.fyre.ibm.com
> auditd[12120]: Error sending status request (Operation not permitted) Jul
> 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Error sending enable
> request (Operation not permitted) Jul 19 18:12:50 wanly1.fyre.ibm.com
> systemd[1]: auditd.service: control process exited, code=exited status=1
> Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Failed to start Security
> Auditing Service. Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Unit
> auditd.service entered failed state. Jul 19 18:12:50 wanly1.fyre.ibm.com
> systemd[1]: auditd.service failed."
> 
> Can someone please help me figure this issue out.

At the moment, auditd can be used inside a container only for aggregating 
logs from other systems. It cannot be used to get events relevant to the 
cotainer or the host OS. If you want to aggregate only, then set 
local_events=no in auditd.conf.

Container support is still under development.

-Steve

More information about the Linux-audit mailing list