From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michele Giacomoli Subject: Audit, lxc containers and logged paths Date: Thu, 30 Jun 2016 19:27:21 +0200 Message-ID: <57755679.7090007@mynet.it> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.31]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u5UHRQ92012573 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 30 Jun 2016 13:27:26 -0400 Received: from smtp14.mynet.it (smtp13.mynet.it [80.68.177.181]) by mx1.redhat.com (Postfix) with SMTP id 3C824C00F1DA for ; Thu, 30 Jun 2016 17:27:24 +0000 (UTC) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello everybody, I need to watch folders inside unprivileged linux containers. From what I know it's not possible to run audit inside a lxc guest, so I set up audit inside the host to log access to dirs using absolute path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a look at the logs I found that both the paths of the executable and the path that has been accessed are relative to the container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of which is the container that generated the record. I could compare the uid that generated it whith the uids set for the containers, but it seems an ugly solution. Can audit be configured for logging the absolute paths, or give me a hint of the container that generated the record? Best regards Michele