12:27 p.m.
Hello everybody,
I need to watch folders inside unprivileged linux containers. From what
I know it's not possible to run audit inside a lxc guest, so I set up
audit inside the host to log access to dirs using absolute path (e.g.
/var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a look at
the logs I found that both the paths of the executable and the path that
has been accessed are relative to the container (i.e. /bin/ls and
/etc/passwd), so I don't have a clue of which is the container that
generated the record. I could compare the uid that generated it whith
the uids set for the containers, but it seems an ugly solution.
Can audit be configured for logging the absolute paths, or give me a
hint of the container that generated the record?
Best regards
Michele
12:40 p.m.
Sorry, forgot to mention:
Host is Ubuntu 14.04, while guests are different Ubuntu versions
Audit is installed from Ubuntu repos (version 1:2.3.2-2ubuntu1)
Thank you
Il 30/06/2016 19:27, Michele Giacomoli ha scritto:
Hello everybody,
I need to watch folders inside unprivileged linux containers. From
what I know it's not possible to run audit inside a lxc guest, so I
set up audit inside the host to log access to dirs using absolute path
(e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a
look at the logs I found that both the paths of the executable and the
path that has been accessed are relative to the container (i.e.
/bin/ls and /etc/passwd), so I don't have a clue of which is the
container that generated the record. I could compare the uid that
generated it whith the uids set for the containers, but it seems an
ugly solution.
Can audit be configured for logging the absolute paths, or give me a
hint of the container that generated the record?
Best regards
Michele
1:09 p.m.
On 2016-06-30 19:27, Michele Giacomoli wrote:
Hello everybody,
Hi Michele,
I need to watch folders inside unprivileged linux containers. From
what I know it's not possible to run audit inside a lxc guest, so I
set up audit inside the host to log access to dirs using absolute
path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
giving a look at the logs I found that both the paths of the
executable and the path that has been accessed are relative to the
container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
which is the container that generated the record. I could compare
the uid that generated it whith the uids set for the containers, but
it seems an ugly solution.
General topics surrounding this sort of issue have been discussed on
this list over the last couple of year. The way things are currently
set up you are correct in the current way to address this problem. The
kernel currently has no concept of containers.
Can audit be configured for logging the absolute paths, or give me a
hint of the container that generated the record?
There have been some proposals to address this sort of challenge, but
there is no consensus yet. I'm doing a presentaiton at the Linux
Security Summit in Toronto this year in August that will touch on some
of these issues and how we might address them. Some approaches document
the namespaces of events and others allow audit to run in the container.
(As to the follow-on reply, at this point the distribution is irrelevant
since it isn't in the upstream kernel yet.)
Michele
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
2:40 a.m.
Got it. Thank you very much Richard
Il 30/06/2016 20:09, Richard Guy Briggs ha scritto:
On 2016-06-30 19:27, Michele Giacomoli wrote:
> Hello everybody,
Hi Michele,
> I need to watch folders inside unprivileged linux containers. From
> what I know it's not possible to run audit inside a lxc guest, so I
> set up audit inside the host to log access to dirs using absolute
> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
> giving a look at the logs I found that both the paths of the
> executable and the path that has been accessed are relative to the
> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
> which is the container that generated the record. I could compare
> the uid that generated it whith the uids set for the containers, but
> it seems an ugly solution.
General topics surrounding this sort of issue have been discussed on
this list over the last couple of year. The way things are currently
set up you are correct in the current way to address this problem. The
kernel currently has no concept of containers.
> Can audit be configured for logging the absolute paths, or give me a
> hint of the container that generated the record?
There have been some proposals to address this sort of challenge, but
there is no consensus yet. I'm doing a presentaiton at the Linux
Security Summit in Toronto this year in August that will touch on some
of these issues and how we might address them. Some approaches document
the namespaces of events and others allow audit to run in the container.
(As to the follow-on reply, at this point the distribution is irrelevant
since it isn't in the upstream kernel yet.)
> Michele
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
3095
days inactive
3096
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Michele Giacomoli -
Richard Guy Briggs