From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michele Giacomoli <michele.giacomoli@mynet.it>
Subject: Re: Audit, lxc containers and logged paths
Date: Fri, 1 Jul 2016 09:40:11 +0200
Message-ID: <57761E5B.9000103@mynet.it>
References: <57755679.7090007@mynet.it>
	<20160630180914.GD27725@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com
	[10.5.110.38])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u617eGdH019005
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Fri, 1 Jul 2016 03:40:16 -0400
Received: from smtp14.mynet.it (smtp13.mynet.it [80.68.177.181])
	by mx1.redhat.com (Postfix) with SMTP id F014963E37
	for <linux-audit@redhat.com>; Fri,  1 Jul 2016 07:40:13 +0000 (UTC)
In-Reply-To: <20160630180914.GD27725@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Got it. Thank you very much Richard

Il 30/06/2016 20:09, Richard Guy Briggs ha scritto:
> On 2016-06-30 19:27, Michele Giacomoli wrote:
>> Hello everybody,
> Hi Michele,
>
>> I need to watch folders inside unprivileged linux containers. From
>> what I know it's not possible to run audit inside a lxc guest, so I
>> set up audit inside the host to log access to dirs using absolute
>> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
>> giving a look at the logs I found that both the paths of the
>> executable and the path that has been accessed are relative to the
>> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
>> which is the container that generated the record. I could compare
>> the uid that generated it whith the uids set for the containers, but
>> it seems an ugly solution.
> General topics surrounding this sort of issue have been discussed on
> this list over the last couple of year.  The way things are currently
> set up you are correct in the current way to address this problem.  The
> kernel currently has no concept of containers.
>
>> Can audit be configured for logging the absolute paths, or give me a
>> hint of the container that generated the record?
> There have been some proposals to address this sort of challenge, but
> there is no consensus yet.  I'm doing a presentaiton at the Linux
> Security Summit in Toronto this year in August that will touch on some
> of these issues and how we might address them.  Some approaches document
> the namespaces of events and others allow audit to run in the container.
>
> (As to the follow-on reply, at this point the distribution is irrelevant
> since it isn't in the upstream kernel yet.)
>
>> Michele
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635