"service auditd start" fails inside a container
Daniel Walsh
dwalsh at redhat.com
Mon May 1 15:01:42 UTC 2023
On 4/28/23 14:48, Steve Grubb wrote:
> On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote:
>> May I ask if Auditd supports Docker? Thank you
>> https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html
> There is no active work that I know of to put auditd in a container. It's
> libraries are used by many applications. So, I don't know what use it would
> be to containerize it.
>
> And if you are asking if auditd can audit events in a container, I think that
> answer is also no.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
I don't believe there is anything to prevent auditd from running within
a container. You can turn up and down the container to many different
levels or security separation. There will be some security things that
need to be turned off.
Running a contianer privileged will turn off almost everything form a
security perspective, and then running with some of the namespaces
shared with the host.
Something like
podman run --privileged --network=host --pid=host ... auditimage
Should work.
Later tightening up the security should also be possible, but you would
need to know what auditd needs access to.
With all that said, I am not sure what you are trying to achieve by
containerizing the audit daemon.
More information about the Linux-audit
mailing list