Re: Regarding Auditd fails to start

On Wed, 3 Feb 2016 07:57:52 -0500 Paul Moore <paul(a)paul-moore.com&gt; wrote: > On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > > On Wed, 3 Feb 2016 15:34:09 +0530 > > Sowndarya K <sowndaryak18(a)gmail.com&gt; wrote: > >> I am running docker container without privileges and now service > >> auditd start fails to execute even I add capabilities to docker. > >> please try to help me as early as possible > > > > If auditd is being run inside a container, then it has problems > > because the audit subsystem inside the kernel isn't container > > aware/namespaced. I have recently made changes to auditd in svn for > > the next release which allows auditd to run as a log _aggregator_ > > inside a container. This means it has no knowledge of events coming > > from within the container but can act as an aggregator for systems > > doing remote logging. > > To add some commentary to this: we are not going to namespace the > audit subsystem like other subsystems, but making audit *aware* of > namespaces is on the todo list. OK. Suppose I go out and rent a virtualized server with root access for my web site. Turns out the company that is leasing me time used containers as their method of virtualizing. my web site runs fine in a container so no big deal. However, as a customer, I would want access to the logs for my container directly in the container. As a matter of fact, its a PCI-DSS requirement to have access to those logs. I really think the audit system _has to be_ namespaced, somehow, for compliance reasons.