On Mon, 2014-12-15 at 16:14 -0500, Steve Grubb wrote: > We don't want any events from within a container unless we also > have an audit name space. Everything inside the container is potentially > operating out side the security policy of the system.
I am not arguing with any of the substance/meaning of what you intend in any way. However, every time someone uses the word 'container' they are severely mis-characterizing the problem space. There are no containers. It's even worse to say 'container' than it is to say 'the path.' Containers are a userspace construct made out of numerous disjoint kernel primitives (mainly the numerous namespaces). The kernel does not, can not, and will not every know about a 'container.' This MUST be a key concept when we think about how to make audit work in a world where people want to use kernel namespaces. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
