* Separating Container(docker) Logs
@ 2017-03-11 4:47 Wajih Ul Hassan
2017-03-11 18:31 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Wajih Ul Hassan @ 2017-03-11 4:47 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 577 bytes --]
Hello,
I have been using Linux Audit Module for a while now especially in the
context of container(docker) environment. I use SELinux MCS labels with
docker --selinux-enabled to separate different container logs in auditd log
stream. But this solution is very limited to SELinux enabled OS and cannot
be ported to other systems like Ubuntu which uses AppArmour. So I am
looking for some other way to separate each container logs in auditd log
stream. If somebody can give me pointers or patches that makes
auditd container aware it will be really helpful for me.
Thanks,
Wajih
[-- Attachment #1.2: Type: text/html, Size: 632 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Separating Container(docker) Logs
2017-03-11 4:47 Separating Container(docker) Logs Wajih Ul Hassan
@ 2017-03-11 18:31 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2017-03-11 18:31 UTC (permalink / raw)
To: linux-audit; +Cc: Wajih Ul Hassan
On Friday, March 10, 2017 11:47:06 PM EST Wajih Ul Hassan wrote:
> I have been using Linux Audit Module for a while now especially in the
> context of container(docker) environment. I use SELinux MCS labels with
> docker --selinux-enabled to separate different container logs in auditd log
> stream. But this solution is very limited to SELinux enabled OS and cannot
> be ported to other systems like Ubuntu which uses AppArmour. So I am
> looking for some other way to separate each container logs in auditd log
> stream. If somebody can give me pointers or patches that makes
> auditd container aware it will be really helpful for me.
This is slowly being pulled together. This has to be done with common criteria
(CC) certifications in mind since pci-dss, STIG, various contracting language
all call out for or assume a common criteria certification. The first step in
this direction was in pulling together a specification for container management
events based on the virtualization protection profile.
https://github.com/linux-audit/audit-documentation/wiki/SPEC-Virtualization-Manager-Guest-Lifecycle-Events
The next step is to define what a container is and the use cases. From that we
can advance the specification for auditing as it relates to containers. We will
be digging into this soon. We can't really press forward without understanding
all the certification requirements and this may even take some committee work
to iron out the CC requirements. I'd hate to do something and then find out it
doesn't meet requirements and undo and redo how it works. That would be too
much disruption for utilities that might process the information.
So, I think the answer for right now is you have to use labels. But this will
get addressed in the coming months.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-03-11 18:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-11 4:47 Separating Container(docker) Logs Wajih Ul Hassan
2017-03-11 18:31 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.