From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Sowndarya K <sowndaryak18@gmail.com>, Linux-audit@redhat.com
Subject: Re: Regarding Auditd fails to start
Date: Wed, 3 Feb 2016 15:08:27 +0100 [thread overview]
Message-ID: <20160203150827.0a154257@ivy-bridge> (raw)
In-Reply-To: <CAHC9VhQkrfCwwhh2x1pfGb1bpBjWCvhGwuw_PwBL4zzhqcNcUQ@mail.gmail.com>
On Wed, 3 Feb 2016 07:57:52 -0500
Paul Moore <paul@paul-moore.com> wrote:
> On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wed, 3 Feb 2016 15:34:09 +0530
> > Sowndarya K <sowndaryak18@gmail.com> wrote:
> >> I am running docker container without privileges and now service
> >> auditd start fails to execute even I add capabilities to docker.
> >> please try to help me as early as possible
> >
> > If auditd is being run inside a container, then it has problems
> > because the audit subsystem inside the kernel isn't container
> > aware/namespaced. I have recently made changes to auditd in svn for
> > the next release which allows auditd to run as a log _aggregator_
> > inside a container. This means it has no knowledge of events coming
> > from within the container but can act as an aggregator for systems
> > doing remote logging.
>
> To add some commentary to this: we are not going to namespace the
> audit subsystem like other subsystems, but making audit *aware* of
> namespaces is on the todo list.
OK. Suppose I go out and rent a virtualized server with root access for
my web site. Turns out the company that is leasing me time used
containers as their method of virtualizing. my web site runs fine in a
container so no big deal. However, as a customer, I would want access
to the logs for my container directly in the container. As a matter of
fact, its a PCI-DSS requirement to have access to those logs.
I really think the audit system _has to be_ namespaced, somehow, for
compliance reasons.
-Steve
next prev parent reply other threads:[~2016-02-03 14:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-03 10:04 Regarding Auditd fails to start Sowndarya K
2016-02-03 11:16 ` Steve Grubb
2016-02-03 12:57 ` Paul Moore
2016-02-03 14:08 ` Steve Grubb [this message]
2016-02-03 14:27 ` Paul Moore
2016-02-03 16:01 ` Richard Guy Briggs
[not found] ` <CAKc3OY1JUXH82o6G+W_Ue7zBBGe-dgGw3OEgTqn+iOwmFaWfsw@mail.gmail.com>
2016-02-04 10:15 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160203150827.0a154257@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=Linux-audit@redhat.com \
--cc=paul@paul-moore.com \
--cc=sowndaryak18@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox