Re: Separating Container(docker) Logs

[Steve Grubb <sgrubb@redhat.com>]

On Friday, March 10, 2017 11:47:06 PM EST Wajih Ul Hassan wrote:
> I have been using Linux Audit Module for a while now especially in the
> context of container(docker) environment. I use SELinux MCS labels with
> docker --selinux-enabled to separate different container logs in auditd log
> stream. But this solution is very limited to SELinux enabled OS and cannot
> be ported to other systems like Ubuntu which uses AppArmour. So I am
> looking for some other way to separate each container logs in auditd log
> stream. If somebody can give me pointers or patches that makes
> auditd container aware it will be really helpful for me.

This is slowly being pulled together. This has to be done with common criteria 
(CC) certifications in mind since pci-dss, STIG, various contracting language 
all call out for or assume a common criteria certification. The first step in 
this direction was in pulling together a specification for container management 
events based on the virtualization protection profile.

https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualization-Manager-Guest-Lifecycle-Events

The next step is to define what a container is and the use cases. From that we 
can advance the specification for auditing as it relates to containers. We will 
be digging into this soon. We can't really press forward without understanding 
all the certification requirements and this may even take some committee work 
to iron out the CC requirements. I'd hate to do something and then find out it 
doesn't meet requirements and undo and redo how it works. That would be too 
much disruption for utilities that might process the information.

So, I think the answer for right now is you have to use labels. But this will 
get addressed in the coming months.

-Steve