From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michele Giacomoli <michele.giacomoli@mynet.it>
Subject: Re: Audit, lxc containers and logged paths
Date: Thu, 30 Jun 2016 19:40:09 +0200
Message-ID: <57755979.6060609@mynet.it>
References: <57755679.7090007@mynet.it>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.39])
	by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u5UHeDZE031182
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Thu, 30 Jun 2016 13:40:13 -0400
Received: from smtp14.mynet.it (smtp13.mynet.it [80.68.177.181])
	by mx1.redhat.com (Postfix) with SMTP id B9CB764D20
	for <linux-audit@redhat.com>; Thu, 30 Jun 2016 17:40:10 +0000 (UTC)
In-Reply-To: <57755679.7090007@mynet.it>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Sorry, forgot to mention:
Host is Ubuntu 14.04, while guests are different Ubuntu versions
Audit is installed from Ubuntu repos (version 1:2.3.2-2ubuntu1)

Thank you

Il 30/06/2016 19:27, Michele Giacomoli ha scritto:
> Hello everybody,
>
> I need to watch folders inside unprivileged linux containers. From 
> what I know it's not possible to run audit inside a lxc guest, so I 
> set up audit inside the host to log access to dirs using absolute path 
> (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a 
> look at the logs I found that both the paths of the executable and the 
> path that has been accessed are relative to the container (i.e. 
> /bin/ls and /etc/passwd), so I don't have a clue of which is the 
> container that generated the record. I could compare the uid that 
> generated it whith the uids set for the containers, but it seems an 
> ugly solution.
>
> Can audit be configured for logging the absolute paths, or give me a 
> hint of the container that generated the record?
>
> Best regards
> Michele