Re: audit watch rules and docker containers
On Mon, 5 Mar 2018 03:06:44 +0000 (UTC)
Rakesh <raksac(a)yahoo.com> wrote:
Hi Steve,
Thanks for taking the time to look at it. I have been following the
conversation on adding container support to audit, however I am not
looking for container id in the event. I did some more tests and find
it works as expected for syscalls - -a always,exit -F arch=b64 -S
connect -F exit!=-ENOENT -F key=connect
and the audit event in log is -
arch=c000003e syscall=42 success=yes exit=0 a0=1 a1=5562d1bb40f8
a2=16 a3=7ffd9db76460 items=1 ppid=2 pid=60470 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="systemd-cgroups"
exe="/lib/systemd/systemd-cgroups-agent" key="connect"
Bit it's the watch events which are not working.
Watches are a convenience that changes a human path into a device and
inode. That is really what is watched. I think that if you have a watch
on /etc/passwd, and a container has its own /etc/passwd, then you will
have a different inode if not device.
Hopefully this is being taken into account with the redesign or at
least the ability to express that you want them all somehow.
-Steve