Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Sowndarya K <sowndaryak18@gmail.com>, Linux-audit@redhat.com
Subject: Re: Regarding Auditd fails to start
Date: Wed, 3 Feb 2016 11:01:57 -0500	[thread overview]
Message-ID: <20160203160157.GC27528@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAHC9VhRu-usMcebuG0+wpF-viY9xbBTRV1G6XP90pit-D22xrg@mail.gmail.com>

On 16/02/03, Paul Moore wrote:
> On Wed, Feb 3, 2016 at 9:08 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wed, 3 Feb 2016 07:57:52 -0500
> > Paul Moore <paul@paul-moore.com> wrote:
> >
> >> On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> >> > On Wed, 3 Feb 2016 15:34:09 +0530
> >> > Sowndarya K <sowndaryak18@gmail.com> wrote:
> >> >> I am running docker container without privileges and now service
> >> >> auditd start fails to execute even I add capabilities to docker.
> >> >> please try to help me as early as possible
> >> >
> >> > If auditd is being run inside a container, then it has problems
> >> > because the audit subsystem inside the kernel isn't container
> >> > aware/namespaced. I have recently made changes to auditd in svn for
> >> > the next release which allows auditd to run as a log _aggregator_
> >> > inside a container. This means it has no knowledge of events coming
> >> > from within the container but can act as an aggregator for systems
> >> > doing remote logging.
> >>
> >> To add some commentary to this: we are not going to namespace the
> >> audit subsystem like other subsystems, but making audit *aware* of
> >> namespaces is on the todo list.
> >
> > OK. Suppose I go out and rent a virtualized server with root access for
> > my web site. Turns out the company that is leasing me time used
> > containers as their method of virtualizing. my web site runs fine in a
> > container so no big deal. However, as a customer, I would want access
> > to the logs for my container directly in the container. As a matter of
> > fact, its a PCI-DSS requirement to have access to those logs.
> >
> > I really think the audit system _has to be_ namespaced, somehow, for
> > compliance reasons.
> 
> Having access to audit events generated inside a namespace (or set of
> namespaces to be more specific), and only generated inside a namespace
> (or set of ...), does not require the audit subsystem to be
> namespaced; however, it does require the audit subsystem to recognize
> namespaces and associate them with events so that they can be tagged
> and routed accordingly.  Based on previous conversations, I suspect we
> have the same goals/ideas and are just using different terminology.  I
> wouldn't worry too much about it at this point as that work is still
> in the early stages.

I'm late in the conversation, but "what Steve and Paul said".  A number
of discussions have already happenned concerning this idea and the goal
is to have auditd be able to run pretty much seamlessly inside a
container without influencing or compromising the auditd running in the
parent namespace(s).  From what we have discussed, it appears most
likely that auditd will be anchored one per user namespace.

> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

  reply	other threads:[~2016-02-03 16:01 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-03 10:04 Regarding Auditd fails to start Sowndarya K
2016-02-03 11:16 ` Steve Grubb
2016-02-03 12:57   ` Paul Moore
2016-02-03 14:08     ` Steve Grubb
2016-02-03 14:27       ` Paul Moore
2016-02-03 16:01         ` Richard Guy Briggs [this message]
     [not found]           ` <CAKc3OY1JUXH82o6G+W_Ue7zBBGe-dgGw3OEgTqn+iOwmFaWfsw@mail.gmail.com>
2016-02-04 10:15             ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160203160157.GC27528@madcap2.tricolour.ca \
    --to=rgb@redhat.com \
    --cc=Linux-audit@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=sowndaryak18@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox