On 2023-05-01 11:01, Daniel Walsh wrote:
On 4/28/23 14:48, Steve Grubb wrote:
> On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote:
> > May I ask if Auditd supports Docker? Thank you
> >
https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html
> There is no active work that I know of to put auditd in a container. It's
> libraries are used by many applications. So, I don't know what use it would
> be to containerize it.
>
> And if you are asking if auditd can audit events in a container, I think that
> answer is also no.
>
> -Steve
I don't believe there is anything to prevent auditd from running within a
container. You can turn up and down the container to many different levels
or security separation. There will be some security things that need to be
turned off.
Running a contianer privileged will turn off almost everything form a
security perspective, and then running with some of the namespaces shared
with the host.
Something like
podman run --privileged --network=host --pid=host ... auditimage
Should work.
Later tightening up the security should also be possible, but you would need
to know what auditd needs access to.
With all that said, I am not sure what you are trying to achieve by
containerizing the audit daemon.
Audit currently requires access to the root userspace and pid
namespaces, so if the container shares those with the host, it should
run.
There are work items to address this, but they haven't been started in
ernest yet:
https://github.com/linux-audit/audit-kernel/issues/93
dependancies:
https://github.com/linux-audit/audit-kernel/issues/90
https://github.com/linux-audit/audit-kernel/issues/91
https://github.com/linux-audit/audit-kernel/issues/92
https://github.com/linux-audit/audit-kernel/issues/75
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635