RE: Audit Framework and namespaces

Thanks Richard. Your answer was indeed helpful. I was assigned to work on Open Switch in late October and to investigate providing an audit trail feature. Open Switch is a Linux based embedded Network Operating System. After some resource on audit functionality on Linux, the obvious choice was to leverage the Audit Framework. There was a question raised as to whether there was a name space incompatibility, but since Open Switch only uses network namespaces, that doesn't appear to be an issue. What we need to do is log who did what for any operation that changes the switch configuration. We have a variety of ways to modify the switch's configuration; REST, CLI, OVSDB API, and others. We want to use the audit library calls to log these changes. Is this reasonable? It took a month to get a Open Switch linux image put together that contains the audit framework. I've just started playing with it and have noticed that "auditd" exits with an error when running a docker container. Open Switch uses a docker container with a linux image which has a switch simulator that is used for development. Of course the actual released environment is using real switch hardware on a non-container based linux image. It appears that the audit framework does not work in a docker container. Are there plans to add support for containers or is there some magic instructions for getting auditd to work in a container? Scott Gulland 916.785.1497 HPE Networking, CEB R&D -----Original Message----- From: Richard Guy Briggs [mailto:rgb@redhat.com] Sent: Tuesday, November 03, 2015 11:44 AM To: Gulland, Scott A Cc: linux-audit(a)redhat.com Subject: Re: Audit Framework and namespaces On 15/11/03, Gulland, Scott A wrote: The quick answer is "Some". I am not aware of any restrictions on running audit services in MNT, UTS or IPC namespaces. The upstream kernel has support for running auditd in any network namespace. Additionally, processes with CAP_AUDIT_WRITE (generally to send AUDIT_USER_* class messages) can send from any PID namespace, but auditd is not permitted to run anywhere other than in the initial PID namespace. There is no support for any audit services from any USER namespace other than initial due to serious concerns with security, policy and experience still accumulating in that area. There are expectations that this latter will be supported in the future, but that needs planning, execution and thorough testing. I hope this helps answer your question. I note you didn't ask about audit working in containers, which is a harder question to answer clearly due to the definition of "container". The last point made in the paragraph above will get us closer to supporting audit services in Linux containers. - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com&gt; Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545