On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgr...@redhat.com> wrote: > On Wed, 3 Feb 2016 15:34:09 +0530 > Sowndarya K <sowndarya...@gmail.com> wrote: >> I am running docker container without privileges and now service >> auditd start fails to execute even I add capabilities to docker. >> please try to help me as early as possible > > If auditd is being run inside a container, then it has problems because > the audit subsystem inside the kernel isn't container aware/namespaced. > I have recently made changes to auditd in svn for the next release which > allows auditd to run as a log _aggregator_ inside a container. This > means it has no knowledge of events coming from within the container > but can act as an aggregator for systems doing remote logging.
To add some commentary to this: we are not going to namespace the audit subsystem like other subsystems, but making audit *aware* of namespaces is on the todo list. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
