Re: Audit, lxc containers and logged paths

On 2016-06-30 19:27, Michele Giacomoli wrote: > Hello everybody, Hi Michele, > I need to watch folders inside unprivileged linux containers. From > what I know it's not possible to run audit inside a lxc guest, so I > set up audit inside the host to log access to dirs using absolute > path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but > giving a look at the logs I found that both the paths of the > executable and the path that has been accessed are relative to the > container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of > which is the container that generated the record. I could compare > the uid that generated it whith the uids set for the containers, but > it seems an ugly solution. General topics surrounding this sort of issue have been discussed on this list over the last couple of year. The way things are currently set up you are correct in the current way to address this problem. The kernel currently has no concept of containers. > Can audit be configured for logging the absolute paths, or give me a > hint of the container that generated the record? There have been some proposals to address this sort of challenge, but there is no consensus yet. I'm doing a presentaiton at the Linux Security Summit in Toronto this year in August that will touch on some of these issues and how we might address them. Some approaches document the namespaces of events and others allow audit to run in the container. (As to the follow-on reply, at this point the distribution is irrelevant since it isn't in the upstream kernel yet.) > Michele - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635