audit watch rules and docker containers
Steve Grubb
sgrubb at redhat.com
Mon Mar 5 22:53:27 UTC 2018
On Mon, 5 Mar 2018 03:06:44 +0000 (UTC)
Rakesh <raksac at yahoo.com> wrote:
> Hi Steve,
> Thanks for taking the time to look at it. I have been following the
> conversation on adding container support to audit, however I am not
> looking for container id in the event. I did some more tests and find
> it works as expected for syscalls - -a always,exit -F arch=b64 -S
> connect -F exit!=-ENOENT -F key=connect
>
> and the audit event in log is -
> arch=c000003e syscall=42 success=yes exit=0 a0=1 a1=5562d1bb40f8
> a2=16 a3=7ffd9db76460 items=1 ppid=2 pid=60470 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="systemd-cgroups"
> exe="/lib/systemd/systemd-cgroups-agent" key="connect"
>
> Bit it's the watch events which are not working.
Watches are a convenience that changes a human path into a device and
inode. That is really what is watched. I think that if you have a watch
on /etc/passwd, and a container has its own /etc/passwd, then you will
have a different inode if not device.
Hopefully this is being taken into account with the redesign or at
least the ability to express that you want them all somehow.
-Steve
More information about the Linux-audit
mailing list