audit watch rules and docker containers

Sat, 03 Mar 2018 00:52:37 -0800 

Hello Auditd'ers,



I am running a privileged container with pid, net, uts space shared with the 
host. The need is to be able to set file watch rules from the container say 
-k /etc -p rw -k containter_rule
and then look for read/write access to files/directories in /var/log/audit/*.
What I am finding is there are no watch events being logged
If I set the same audit watch rule from the host (and not being in the 
privileged container) I am able to get audit events
Using nsenter to switch namespace (nsenter -t 1 auditctl -k /etc -p rw -k 
containter_rule) does not help either
I suspect the mnt namespace is different which is causing this oddity in 
behavior
looking at container process namespace -
test@ubuntu-16:~/audit$ sudo ls -latr  /proc/26050/ns[sudo] password for 
test:total 0dr-xr-xr-x 9 root root 0 Mar  2 16:58 ..dr-x--x--x 2 root root 0 
Mar  2 17:46 .lrwxrwxrwx 1 root root 0 Mar  2 17:46 uts -> 
uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar  2 17:46 user -> 
user:[4026531837]lrwxrwxrwx 1 root root 0 Mar  2 17:46 pid -> 
pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar  2 17:46 net -> 
net:[4026531957]lrwxrwxrwx 1 root root 0 Mar  2 17:46 mnt -> 
mnt:[4026532517]lrwxrwxrwx 1 root root 0 Mar  2 17:46 ipc -> 
ipc:[4026532518]lrwxrwxrwx 1 root root 0 Mar  2 17:46 cgroup -> 
cgroup:[4026531835]
looking at init process namespace -

test@ubuntu-16:~/audit$ sudo ls -latr  /proc/1/nstotal 0dr-xr-xr-x 9 root root 
0 Mar  2 10:37 ..lrwxrwxrwx 1 root root 0 Mar  2 10:38 mnt -> 
mnt:[4026531840]dr-x--x--x 2 root root 0 Mar  2 10:38 .lrwxrwxrwx 1 root root 0 
Mar  2 16:47 uts -> uts:[4026531838]lrwxrwxrwx 1 root root 0 Mar  2 16:47 user 
-> user:[4026531837]lrwxrwxrwx 1 root root 0 Mar  2 16:47 pid -> 
pid:[4026531836]lrwxrwxrwx 1 root root 0 Mar  2 16:47 net -> 
net:[4026531957]lrwxrwxrwx 1 root root 0 Mar  2 16:47 ipc -> 
ipc:[4026531839]lrwxrwxrwx 1 root root 0 Mar  2 16:47 cgroup -> 
cgroup:[4026531835]
Can someone please suggest with some thoughts on how to make this work.
Thanks,Rakesh   
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to