Audit, lxc containers and logged paths
by Michele Giacomoli
Hello everybody,
I need to watch folders inside unprivileged linux containers. From what
I know it's not possible to run audit inside a lxc guest, so I set up
audit inside the host to log access to dirs using absolute path (e.g.
/var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a look at
the logs I found that both the paths of the executable and the path that
has been accessed are relative to the container (i.e. /bin/ls and
/etc/passwd), so I don't have a clue of which is the container that
generated the record. I could compare the uid that generated it whith
the uids set for the containers, but it seems an ugly solution.
Can audit be configured for logging the absolute paths, or give me a
hint of the container that generated the record?
Best regards
Michele
8 years, 4 months