From: Richard Guy Briggs <rgb@redhat.com>
To: Daniel Walsh <dwalsh@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: "service auditd start" fails inside a container
Date: Tue, 2 May 2023 09:27:31 -0400 [thread overview]
Message-ID: <ZFEPw2k8KLcbbO0K@madcap2.tricolour.ca> (raw)
In-Reply-To: <c7d87c7c-f475-eb90-e4ba-8bb13c035488@redhat.com>
On 2023-05-01 11:01, Daniel Walsh wrote:
> On 4/28/23 14:48, Steve Grubb wrote:
> > On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote:
> > > May I ask if Auditd supports Docker? Thank you
> > > https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html
> > There is no active work that I know of to put auditd in a container. It's
> > libraries are used by many applications. So, I don't know what use it would
> > be to containerize it.
> >
> > And if you are asking if auditd can audit events in a container, I think that
> > answer is also no.
> >
> > -Steve
>
> I don't believe there is anything to prevent auditd from running within a
> container. You can turn up and down the container to many different levels
> or security separation. There will be some security things that need to be
> turned off.
>
> Running a contianer privileged will turn off almost everything form a
> security perspective, and then running with some of the namespaces shared
> with the host.
>
> Something like
>
> podman run --privileged --network=host --pid=host ... auditimage
>
> Should work.
>
> Later tightening up the security should also be possible, but you would need
> to know what auditd needs access to.
>
> With all that said, I am not sure what you are trying to achieve by
> containerizing the audit daemon.
Audit currently requires access to the root userspace and pid
namespaces, so if the container shares those with the host, it should
run.
There are work items to address this, but they haven't been started in
ernest yet:
https://github.com/linux-audit/audit-kernel/issues/93
dependancies:
https://github.com/linux-audit/audit-kernel/issues/90
https://github.com/linux-audit/audit-kernel/issues/91
https://github.com/linux-audit/audit-kernel/issues/92
https://github.com/linux-audit/audit-kernel/issues/75
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2023-05-02 13:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-28 7:54 Re: "service auditd start" fails inside a container 江杨
2023-04-28 14:12 ` Paul Moore
2023-04-28 18:48 ` Steve Grubb
2023-04-30 0:20 ` 江杨
2023-05-01 15:01 ` Daniel Walsh
2023-05-02 13:27 ` Richard Guy Briggs [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-07-19 18:16 Venkata Neehar Kurukunda
2018-07-19 18:53 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFEPw2k8KLcbbO0K@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=dwalsh@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).