Re: audit watch rules and docker containers
Hi Steve,
Thanks for taking the time to look at it. I have been following the conversation on adding
container support to audit, however I am not looking for container id in the event.
I did some more tests and find it works as expected for syscalls -
-a always,exit -F arch=b64 -S connect -F exit!=-ENOENT -F key=connect
and the audit event in log is -
arch=c000003e syscall=42 success=yes exit=0 a0=1 a1=5562d1bb40f8 a2=16 a3=7ffd9db76460
items=1 ppid=2 pid=60470 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="systemd-cgroups"
exe="/lib/systemd/systemd-cgroups-agent" key="connect"
Bit it's the watch events which are not working.
Thanks,Rakesh
From: Steve Grubb <sgrubb(a)redhat.com>
To: Rakesh <raksac(a)yahoo.com>
Cc: "linux-audit(a)redhat.com" <linux-audit(a)redhat.com>
Sent: Sunday, March 4, 2018 5:00 AM
Subject: Re: audit watch rules and docker containers
On Sat, 3 Mar 2018 08:52:04 +0000 (UTC)
Rakesh <raksac(a)yahoo.com> wrote:
Hello Auditd'ers,
I am running a privileged container with pid, net, uts space shared
with the host. The need is to be able to set file watch rules from
the container say -k /etc -p rw -k containter_rule and then look for
read/write access to files/directories in /var/log/audit/*.
Container support is just now being implemented.
https://www.redhat.com/archives/linux-audit/2018-March/msg00004.html
So, there is no good way right now to make this work like you would
expect it.
-Steve
What I am
finding is there are no watch events being logged If I set the same
audit watch rule from the host (and not being in the privileged
container) I am able to get audit events Using nsenter to switch
namespace (nsenter -t 1 auditctl -k /etc -p rw -k containter_rule)
does not help either I suspect the mnt namespace is different which
is causing this oddity in behavior looking at container process
namespace - test@ubuntu-16:~/audit$ sudo ls
-latr /proc/26050/ns[sudo] password for test:total 0dr-xr-xr-x 9
root root 0 Mar 2 16:58 ..dr-x--x--x 2 root root 0 Mar 2
17:46 .lrwxrwxrwx 1 root root 0 Mar 2 17:46 uts ->
uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 17:46 user ->
user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 17:46 pid ->
pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 17:46 net ->
net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 17:46 mnt ->
mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar 2 17:46 ipc ->
ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar 2 17:46 cgroup ->
cgroup:[4026531835] looking at init process namespace -
test@ubuntu-16:~/audit$ sudo ls -latr /proc/1/nstotal 0dr-xr-xr-x 9
root root 0 Mar 2 10:37 ..lrwxrwxrwx 1 root root 0 Mar 2 10:38 mnt
-> mnt:[4026531840]dr-x--x--x 2 root root 0 Mar 2 10:38 .lrwxrwxrwx
1 root root 0 Mar 2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root
root 0 Mar 2 16:47 user -> user:[4026531837]lrwxrwxrwx 1 root root 0
Mar 2 16:47 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2
16:47 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 16:47
ipc -> ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar 2 16:47 cgroup
-> cgroup:[4026531835] Can someone please suggest with some thoughts
on how to make this work. Thanks,Rakesh
Attachments:
- attachment.html (text/html — 7.3 KB)