Hello Auditd'ers,
I am running a privileged container with pid, net, uts space shared with the host. The need is to be able to set file watch rules from the container say -k /etc -p rw -k containter_rule and then look for read/write access to files/directories in /var/log/audit/*. What I am finding is there are no watch events being logged If I set the same audit watch rule from the host (and not being in the privileged container) I am able to get audit events Using nsenter to switch namespace (nsenter -t 1 auditctl -k /etc -p rw -k containter_rule) does not help either I suspect the mnt namespace is different which is causing this oddity in behavior looking at container process namespace - test@ubuntu-16:~/audit$ sudo ls -latr /proc/26050/ns[sudo] password for test:total 0dr-xr-xr-x 9 root root 0 Mar 2 16:58 ..dr-x--x--x 2 root root 0 Mar 2 17:46 .lrwxrwxrwx 1 root root 0 Mar 2 17:46 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 17:46 user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 17:46 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 17:46 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 17:46 mnt -> mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar 2 17:46 ipc -> ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar 2 17:46 cgroup -> cgroup:[4026531835] looking at init process namespace - test@ubuntu-16:~/audit$ sudo ls -latr /proc/1/nstotal 0dr-xr-xr-x 9 root root 0 Mar 2 10:37 ..lrwxrwxrwx 1 root root 0 Mar 2 10:38 mnt -> mnt:[4026531840]dr-x--x--x 2 root root 0 Mar 2 10:38 .lrwxrwxrwx 1 root root 0 Mar 2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar 2 16:47 user -> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar 2 16:47 pid -> pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar 2 16:47 net -> net:[4026531957]lrwxrwxrwx 1 root root 0 Mar 2 16:47 ipc -> ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar 2 16:47 cgroup -> cgroup:[4026531835] Can someone please suggest with some thoughts on how to make this work. Thanks,Rakesh
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit