Separating Container(docker) Logs
- First Post
- Replies
- Stats
-
Go to
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
Hello,
I have been using Linux Audit Module for a while now especially in the
context of container(docker) environment. I use SELinux MCS labels with
docker --selinux-enabled to separate different container logs in auditd log
stream. But this solution is very limited to SELinux enabled OS and cannot
be ported to other systems like Ubuntu which uses AppArmour. So I am
looking for some other way to separate each container logs in auditd log
stream. If somebody can give me pointers or patches that makes
auditd container aware it will be really helpful for me.
Thanks,
Wajih
Attachments:
- attachment.html (text/html — 631 bytes)
On Friday, March 10, 2017 11:47:06 PM EST Wajih Ul Hassan wrote:
I have been using Linux Audit Module for a while now especially in
the
context of container(docker) environment. I use SELinux MCS labels with
docker --selinux-enabled to separate different container logs in auditd log
stream. But this solution is very limited to SELinux enabled OS and cannot
be ported to other systems like Ubuntu which uses AppArmour. So I am
looking for some other way to separate each container logs in auditd log
stream. If somebody can give me pointers or patches that makes
auditd container aware it will be really helpful for me.
This is slowly being pulled together. This has to be done with common criteria
(CC) certifications in mind since pci-dss, STIG, various contracting language
all call out for or assume a common criteria certification. The first step in
this direction was in pulling together a specification for container management
events based on the virtualization protection profile.
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualizati...
The next step is to define what a container is and the use cases. From that we
can advance the specification for auditing as it relates to containers. We will
be digging into this soon. We can't really press forward without understanding
all the certification requirements and this may even take some committee work
to iron out the CC requirements. I'd hate to do something and then find out it
doesn't meet requirements and undo and redo how it works. That would be too
much disruption for utilities that might process the information.
So, I think the answer for right now is you have to use labels. But this will
get addressed in the coming months.
-Steve
2842
days inactive
2842
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
tags (0)
participants (2)
-
Steve Grubb -
Wajih Ul Hassan