audit watch rules and docker containers
Steve Grubb
sgrubb at redhat.com
Sun Mar 4 13:00:43 UTC 2018
On Sat, 3 Mar 2018 08:52:04 +0000 (UTC)
Rakesh <raksac at yahoo.com> wrote:
> Hello Auditd'ers,
>
>
>
> I am running a privileged container with pid, net, uts space shared
> with the host. The need is to be able to set file watch rules from
> the container say -k /etc -p rw -k containter_rule and then look for
> read/write access to files/directories in /var/log/audit/*.
Container support is just now being implemented.
https://www.redhat.com/archives/linux-audit/2018-March/msg00004.html
So, there is no good way right now to make this work like you would
expect it.
-Steve
> What I am
> finding is there are no watch events being logged If I set the same
> audit watch rule from the host (and not being in the privileged
> container) I am able to get audit events Using nsenter to switch
> namespace (nsenter -t 1 auditctl -k /etc -p rw -k containter_rule)
> does not help either I suspect the mnt namespace is different which
> is causing this oddity in behavior looking at container process
> namespace - test at ubuntu-16:~/audit$ sudo ls
> -latr /proc/26050/ns[sudo] password for test:total 0dr-xr-xr-x 9
> root root 0 Mar 2 16:58 ..dr-x--x--x 2 root root 0 Mar 2
> 17:46 .lrwxrwxrwx 1 root root 0 Mar 2 17:46 uts ->
> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 17:46 user ->
> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 17:46 pid ->
> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 17:46 net ->
> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 17:46 mnt ->
> mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar 2 17:46 ipc ->
> ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar 2 17:46 cgroup ->
> cgroup:[4026531835] looking at init process namespace -
>
> test at ubuntu-16:~/audit$ sudo ls -latr /proc/1/nstotal 0dr-xr-xr-x 9
> root root 0 Mar 2 10:37 ..lrwxrwxrwx 1 root root 0 Mar 2 10:38 mnt
> -> mnt:[4026531840]dr-x--x--x 2 root root 0 Mar 2 10:38 .lrwxrwxrwx
> 1 root root 0 Mar 2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root
> root 0 Mar 2 16:47 user -> user:[4026531837]lrwxrwxrwx 1 root root 0
> Mar 2 16:47 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2
> 16:47 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 16:47
> ipc -> ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar 2 16:47 cgroup
> -> cgroup:[4026531835] Can someone please suggest with some thoughts
> on how to make this work. Thanks,Rakesh
More information about the Linux-audit
mailing list