On 05/14/2015 09:57 AM, Steve Grubb wrote:
Also, if the host OS cannot make sense of the information being logged because the pid maps to another process name, or a uid maps to another user, or a file access maps to something not in the host's, then we need the container to do its own auditing and resolve these mappings and optionally pass these to an aggregation server.Nothing else makes sense.
+1Except, being that is IS a container, I'd say that for anyone who cares about the audited data, the passing to an aggregation server would not be optional.
At least not for any use-case I can envision. LCB -- LC (Lenny) Bruzenak le...@magitekltd.com
smime.p7s
Description: S/MIME Cryptographic Signature
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit