"service auditd start" fails inside a container
Richard Guy Briggs
rgb at redhat.com
Tue May 2 13:27:31 UTC 2023
On 2023-05-01 11:01, Daniel Walsh wrote:
> On 4/28/23 14:48, Steve Grubb wrote:
> > On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote:
> > > May I ask if Auditd supports Docker? Thank you
> > > https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html
> > There is no active work that I know of to put auditd in a container. It's
> > libraries are used by many applications. So, I don't know what use it would
> > be to containerize it.
> >
> > And if you are asking if auditd can audit events in a container, I think that
> > answer is also no.
> >
> > -Steve
>
> I don't believe there is anything to prevent auditd from running within a
> container. You can turn up and down the container to many different levels
> or security separation. There will be some security things that need to be
> turned off.
>
> Running a contianer privileged will turn off almost everything form a
> security perspective, and then running with some of the namespaces shared
> with the host.
>
> Something like
>
> podman run --privileged --network=host --pid=host ... auditimage
>
> Should work.
>
> Later tightening up the security should also be possible, but you would need
> to know what auditd needs access to.
>
> With all that said, I am not sure what you are trying to achieve by
> containerizing the audit daemon.
Audit currently requires access to the root userspace and pid
namespaces, so if the container shares those with the host, it should
run.
There are work items to address this, but they haven't been started in
ernest yet:
https://github.com/linux-audit/audit-kernel/issues/93
dependancies:
https://github.com/linux-audit/audit-kernel/issues/90
https://github.com/linux-audit/audit-kernel/issues/91
https://github.com/linux-audit/audit-kernel/issues/92
https://github.com/linux-audit/audit-kernel/issues/75
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list