On 05/14/2015 09:57 AM, Steve Grubb wrote:
Also, if the host OS cannot make sense of the information being
logged because
the pid maps to another process name, or a uid maps to another user, or a file
access maps to something not in the host's, then we need the container to do
its own auditing and resolve these mappings and optionally pass these to an
aggregation server.
Nothing else makes sense.
+1
Except, being that is IS a container, I'd say that for anyone who cares
about the audited data, the passing to an aggregation server would not
be optional.
At least not for any use-case I can envision.
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com