audit watch rules and docker containers
Rakesh
raksac at yahoo.com
Mon Mar 5 03:06:44 UTC 2018
Hi Steve,
Thanks for taking the time to look at it. I have been following the conversation on adding container support to audit, however I am not looking for container id in the event.
I did some more tests and find it works as expected for syscalls -
-a always,exit -F arch=b64 -S connect -F exit!=-ENOENT -F key=connect
and the audit event in log is -
arch=c000003e syscall=42 success=yes exit=0 a0=1 a1=5562d1bb40f8 a2=16 a3=7ffd9db76460 items=1 ppid=2 pid=60470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-cgroups" exe="/lib/systemd/systemd-cgroups-agent" key="connect"
Bit it's the watch events which are not working.
Thanks,Rakesh
From: Steve Grubb <sgrubb at redhat.com>
To: Rakesh <raksac at yahoo.com>
Cc: "linux-audit at redhat.com" <linux-audit at redhat.com>
Sent: Sunday, March 4, 2018 5:00 AM
Subject: Re: audit watch rules and docker containers
On Sat, 3 Mar 2018 08:52:04 +0000 (UTC)
Rakesh <raksac at yahoo.com> wrote:
> Hello Auditd'ers,
>
>
>
> I am running a privileged container with pid, net, uts space shared
> with the host. The need is to be able to set file watch rules from
> the container say -k /etc -p rw -k containter_rule and then look for
> read/write access to files/directories in /var/log/audit/*.
Container support is just now being implemented.
https://www.redhat.com/archives/linux-audit/2018-March/msg00004.html
So, there is no good way right now to make this work like you would
expect it.
-Steve
> What I am
> finding is there are no watch events being logged If I set the same
> audit watch rule from the host (and not being in the privileged
> container) I am able to get audit events Using nsenter to switch
> namespace (nsenter -t 1 auditctl -k /etc -p rw -k containter_rule)
> does not help either I suspect the mnt namespace is different which
> is causing this oddity in behavior looking at container process
> namespace - test at ubuntu-16:~/audit$ sudo ls
> -latr /proc/26050/ns[sudo] password for test:total 0dr-xr-xr-x 9
> root root 0 Mar 2 16:58 ..dr-x--x--x 2 root root 0 Mar 2
> 17:46 .lrwxrwxrwx 1 root root 0 Mar 2 17:46 uts ->
> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 17:46 user ->
> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 17:46 pid ->
> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 17:46 net ->
> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 17:46 mnt ->
> mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar 2 17:46 ipc ->
> ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar 2 17:46 cgroup ->
> cgroup:[4026531835] looking at init process namespace -
>
> test at ubuntu-16:~/audit$ sudo ls -latr /proc/1/nstotal 0dr-xr-xr-x 9
> root root 0 Mar 2 10:37 ..lrwxrwxrwx 1 root root 0 Mar 2 10:38 mnt
> -> mnt:[4026531840]dr-x--x--x 2 root root 0 Mar 2 10:38 .lrwxrwxrwx
> 1 root root 0 Mar 2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root
> root 0 Mar 2 16:47 user -> user:[4026531837]lrwxrwxrwx 1 root root 0
> Mar 2 16:47 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2
> 16:47 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 16:47
> ipc -> ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar 2 16:47 cgroup
> -> cgroup:[4026531835] Can someone please suggest with some thoughts
> on how to make this work. Thanks,Rakesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180305/764c4235/attachment.htm>
More information about the Linux-audit
mailing list