audit watch rules and docker containers

[Rakesh]

Hello Auditd'ers,



I am running a privileged container with pid, net, uts space shared with the host. The need is to be able to set file watch rules from the container say 
-k /etc -p rw -k containter_rule
and then look for read/write access to files/directories in /var/log/audit/*.
What I am finding is there are no watch events being logged
If I set the same audit watch rule from the host (and not being in the privileged container) I am able to get audit events
Using nsenter to switch namespace (nsenter -t 1 auditctl -k /etc -p rw -k containter_rule) does not help either
I suspect the mnt namespace is different which is causing this oddity in behavior
looking at container process namespace -
test at ubuntu-16:~/audit$ sudo ls -latr  /proc/26050/ns[sudo] password for test:total 0dr-xr-xr-x 9 root root 0 Mar  2 16:58 ..dr-x--x--x 2 root root 0 Mar  2 17:46 .lrwxrwxrwx 1 root root 0 Mar  2 17:46 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar  2 17:46 user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar  2 17:46 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar  2 17:46 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar  2 17:46 mnt -> mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar  2 17:46 ipc -> ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar  2 17:46 cgroup -> cgroup:[4026531835]
looking at init process namespace -

test at ubuntu-16:~/audit$ sudo ls -latr  /proc/1/nstotal 0dr-xr-xr-x 9 root root 0 Mar  2 10:37 ..lrwxrwxrwx 1 root root 0 Mar  2 10:38 mnt -> mnt:[4026531840]dr-x--x--x 2 root root 0 Mar  2 10:38 .lrwxrwxrwx 1 root root 0 Mar  2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar  2 16:47 user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar  2 16:47 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar  2 16:47 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar  2 16:47 ipc -> ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar  2 16:47 cgroup -> cgroup:[4026531835]
Can someone please suggest with some thoughts on how to make this work.
Thanks,Rakesh   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180303/d0a2d064/attachment.htm>