* Audit Framework and namespaces @ 2015-11-03 17:34 Gulland, Scott A 2015-11-03 19:04 ` Paul Moore 2015-11-03 19:44 ` Richard Guy Briggs 0 siblings, 2 replies; 6+ messages in thread From: Gulland, Scott A @ 2015-11-03 17:34 UTC (permalink / raw) To: linux-audit@redhat.com, Gulland, Scott A [-- Attachment #1.1.1: Type: text/plain, Size: 222 bytes --] Does the audit framework work with linux namespaces? Scott Gulland HP Networking, CEB R&D 916.785.1497 Hewlett-Packard Company 8000 Foothills Blvd; MS - 5505 Roseville, CA 95747 USA [hp]<http://www.hp.com/> [-- Attachment #1.1.2: Type: text/html, Size: 2734 bytes --] [-- Attachment #1.2: image001.png --] [-- Type: image/png, Size: 5197 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Audit Framework and namespaces 2015-11-03 17:34 Audit Framework and namespaces Gulland, Scott A @ 2015-11-03 19:04 ` Paul Moore 2015-11-03 19:44 ` Richard Guy Briggs 1 sibling, 0 replies; 6+ messages in thread From: Paul Moore @ 2015-11-03 19:04 UTC (permalink / raw) To: Gulland, Scott A; +Cc: linux-audit@redhat.com On Tue, Nov 3, 2015 at 12:34 PM, Gulland, Scott A <scott.gulland@hpe.com> wrote: > Does the audit framework work with linux namespaces? I'm sorry, you'll have to be more specific than that; what exactly are you interested in with respect to audit and namespaces? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Audit Framework and namespaces 2015-11-03 17:34 Audit Framework and namespaces Gulland, Scott A 2015-11-03 19:04 ` Paul Moore @ 2015-11-03 19:44 ` Richard Guy Briggs 2015-12-08 4:14 ` Gulland, Scott A 1 sibling, 1 reply; 6+ messages in thread From: Richard Guy Briggs @ 2015-11-03 19:44 UTC (permalink / raw) To: Gulland, Scott A; +Cc: linux-audit@redhat.com On 15/11/03, Gulland, Scott A wrote: > Does the audit framework work with linux namespaces? The quick answer is "Some". I am not aware of any restrictions on running audit services in MNT, UTS or IPC namespaces. The upstream kernel has support for running auditd in any network namespace. Additionally, processes with CAP_AUDIT_WRITE (generally to send AUDIT_USER_* class messages) can send from any PID namespace, but auditd is not permitted to run anywhere other than in the initial PID namespace. There is no support for any audit services from any USER namespace other than initial due to serious concerns with security, policy and experience still accumulating in that area. There are expectations that this latter will be supported in the future, but that needs planning, execution and thorough testing. I hope this helps answer your question. I note you didn't ask about audit working in containers, which is a harder question to answer clearly due to the definition of "container". The last point made in the paragraph above will get us closer to supporting audit services in Linux containers. > Scott Gulland - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Audit Framework and namespaces 2015-11-03 19:44 ` Richard Guy Briggs @ 2015-12-08 4:14 ` Gulland, Scott A 2015-12-08 16:10 ` Richard Guy Briggs 0 siblings, 1 reply; 6+ messages in thread From: Gulland, Scott A @ 2015-12-08 4:14 UTC (permalink / raw) To: Richard Guy Briggs, Gulland, Scott A; +Cc: linux-audit@redhat.com Thanks Richard. Your answer was indeed helpful. I was assigned to work on Open Switch in late October and to investigate providing an audit trail feature. Open Switch is a Linux based embedded Network Operating System. After some resource on audit functionality on Linux, the obvious choice was to leverage the Audit Framework. There was a question raised as to whether there was a name space incompatibility, but since Open Switch only uses network namespaces, that doesn't appear to be an issue. What we need to do is log who did what for any operation that changes the switch configuration. We have a variety of ways to modify the switch's configuration; REST, CLI, OVSDB API, and others. We want to use the audit library calls to log these changes. Is this reasonable? It took a month to get a Open Switch linux image put together that contains the audit framework. I've just started playing with it and have noticed that "auditd" exits with an error when running a docker container. Open Switch uses a docker container with a linux image which has a switch simulator that is used for development. Of course the actual released environment is using real switch hardware on a non-container based linux image. It appears that the audit framework does not work in a docker container. Are there plans to add support for containers or is there some magic instructions for getting auditd to work in a container? Scott Gulland 916.785.1497 HPE Networking, CEB R&D -----Original Message----- From: Richard Guy Briggs [mailto:rgb@redhat.com] Sent: Tuesday, November 03, 2015 11:44 AM To: Gulland, Scott A Cc: linux-audit@redhat.com Subject: Re: Audit Framework and namespaces On 15/11/03, Gulland, Scott A wrote: > Does the audit framework work with linux namespaces? The quick answer is "Some". I am not aware of any restrictions on running audit services in MNT, UTS or IPC namespaces. The upstream kernel has support for running auditd in any network namespace. Additionally, processes with CAP_AUDIT_WRITE (generally to send AUDIT_USER_* class messages) can send from any PID namespace, but auditd is not permitted to run anywhere other than in the initial PID namespace. There is no support for any audit services from any USER namespace other than initial due to serious concerns with security, policy and experience still accumulating in that area. There are expectations that this latter will be supported in the future, but that needs planning, execution and thorough testing. I hope this helps answer your question. I note you didn't ask about audit working in containers, which is a harder question to answer clearly due to the definition of "container". The last point made in the paragraph above will get us closer to supporting audit services in Linux containers. > Scott Gulland - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Audit Framework and namespaces 2015-12-08 4:14 ` Gulland, Scott A @ 2015-12-08 16:10 ` Richard Guy Briggs 2015-12-08 16:23 ` Steve Grubb 0 siblings, 1 reply; 6+ messages in thread From: Richard Guy Briggs @ 2015-12-08 16:10 UTC (permalink / raw) To: Gulland, Scott A; +Cc: linux-audit@redhat.com On 15/12/08, Gulland, Scott A wrote: > Thanks Richard. Scott, glad to be of service. > Your answer was indeed helpful. I was assigned to work on Open Switch > in late October and to investigate providing an audit trail feature. > Open Switch is a Linux based embedded Network Operating System. > After some resource on audit functionality on Linux, the obvious > choice was to leverage the Audit Framework. There was a question > raised as to whether there was a name space incompatibility, but since > Open Switch only uses network namespaces, that doesn't appear to be an > issue. So it should just work. > What we need to do is log who did what for any operation that changes > the switch configuration. We have a variety of ways to modify the > switch's configuration; REST, CLI, OVSDB API, and others. We want to > use the audit library calls to log these changes. Is this > reasonable? I don't see a particular problem. Jamal (Hadi Salim) was talking about something similar for his FORCES work at Mojatatu. > It took a month to get a Open Switch linux image put together that > contains the audit framework. I've just started playing with it and > have noticed that "auditd" exits with an error when running a docker > container. Open Switch uses a docker container with a linux image > which has a switch simulator that is used for development. Of > course the actual released environment is using real switch hardware > on a non-container based linux image. It appears that the audit > framework does not work in a docker container. Are there plans to > add support for containers or is there some magic instructions for > getting auditd to work in a container? I assume that docker containers at least spawn a PID namespace and attempt to use CAP_AUDIT_CONTROL, so that would explain why it won't work. As outlined in my first reply, there are ideas to support PID namespaces, but there is no detailed design yet. Again, the definition of a container comes into it as well, but we think we have a reasonable understanding of the needs of docker containers and have an idea how to get there. User namespaces are further off, but I don't believe they are needed for docker at this point. > Scott Gulland > 916.785.1497 > HPE Networking, CEB R&D > > > -----Original Message----- > From: Richard Guy Briggs [mailto:rgb@redhat.com] > Sent: Tuesday, November 03, 2015 11:44 AM > To: Gulland, Scott A > Cc: linux-audit@redhat.com > Subject: Re: Audit Framework and namespaces > > On 15/11/03, Gulland, Scott A wrote: > > Does the audit framework work with linux namespaces? > > The quick answer is "Some". > > I am not aware of any restrictions on running audit services in MNT, UTS or IPC namespaces. The upstream kernel has support for running auditd in any network namespace. Additionally, processes with CAP_AUDIT_WRITE (generally to send AUDIT_USER_* class messages) can send from any PID namespace, but auditd is not permitted to run anywhere other than in the initial PID namespace. There is no support for any audit services from any USER namespace other than initial due to serious concerns with security, policy and experience still accumulating in that area. There are expectations that this latter will be supported in the future, but that needs planning, execution and thorough testing. > > I hope this helps answer your question. I note you didn't ask about audit working in containers, which is a harder question to answer clearly due to the definition of "container". The last point made in the paragraph above will get us closer to supporting audit services in Linux containers. > > > Scott Gulland > > - RGB - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Audit Framework and namespaces 2015-12-08 16:10 ` Richard Guy Briggs @ 2015-12-08 16:23 ` Steve Grubb 0 siblings, 0 replies; 6+ messages in thread From: Steve Grubb @ 2015-12-08 16:23 UTC (permalink / raw) To: linux-audit; +Cc: Richard Guy Briggs On Tuesday, December 08, 2015 11:10:56 AM Richard Guy Briggs wrote: > On 15/12/08, Gulland, Scott A wrote: > > It took a month to get a Open Switch linux image put together that > > contains the audit framework. I've just started playing with it and > > have noticed that "auditd" exits with an error when running a docker > > container. Open Switch uses a docker container with a linux image > > which has a switch simulator that is used for development. Of > > course the actual released environment is using real switch hardware > > on a non-container based linux image. It appears that the audit > > framework does not work in a docker container. Are there plans to > > add support for containers or is there some magic instructions for > > getting auditd to work in a container? > > I assume that docker containers at least spawn a PID namespace and > attempt to use CAP_AUDIT_CONTROL, so that would explain why it won't > work. As outlined in my first reply, there are ideas to support PID > namespaces, but there is no detailed design yet. > > Again, the definition of a container comes into it as well, but we think > we have a reasonable understanding of the needs of docker containers and > have an idea how to get there. User namespaces are further off, but I > don't believe they are needed for docker at this point. And further to the point, right now, we don't want events from inside the container going to the system audit daemon. It potentially has no idea what a pid, network, uid, gid, or hostname maps to. These have to be resolved inside the container and then aggregated at the system daemon or datacenter aggregator. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-12-08 16:23 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-11-03 17:34 Audit Framework and namespaces Gulland, Scott A 2015-11-03 19:04 ` Paul Moore 2015-11-03 19:44 ` Richard Guy Briggs 2015-12-08 4:14 ` Gulland, Scott A 2015-12-08 16:10 ` Richard Guy Briggs 2015-12-08 16:23 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).