From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Regarding Auditd fails to start
Date: Wed, 3 Feb 2016 15:08:27 +0100
Message-ID: <20160203150827.0a154257@ivy-bridge>
References: <CAKc3OY0QkeBYdbeG=_HEmTMetXThLV22W1qKzQ_ueSkWQLOgdQ@mail.gmail.com>
	<20160203121619.5b293913@ivy-bridge>
	<CAHC9VhQkrfCwwhh2x1pfGb1bpBjWCvhGwuw_PwBL4zzhqcNcUQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAHC9VhQkrfCwwhh2x1pfGb1bpBjWCvhGwuw_PwBL4zzhqcNcUQ@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>
Cc: Sowndarya K <sowndaryak18@gmail.com>, Linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, 3 Feb 2016 07:57:52 -0500
Paul Moore <paul@paul-moore.com> wrote:

> On Wed, Feb 3, 2016 at 6:16 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Wed, 3 Feb 2016 15:34:09 +0530
> > Sowndarya K <sowndaryak18@gmail.com> wrote:  
> >> I am running docker container without privileges and now service
> >> auditd start fails to execute even I add capabilities to docker.
> >> please try to help me as early as possible  
> >
> > If auditd is being run inside a container, then it has problems
> > because the audit subsystem inside the kernel isn't container
> > aware/namespaced. I have recently made changes to auditd in svn for
> > the next release which allows auditd to run as a log _aggregator_
> > inside a container. This means it has no knowledge of events coming
> > from within the container but can act as an aggregator for systems
> > doing remote logging.  
> 
> To add some commentary to this: we are not going to namespace the
> audit subsystem like other subsystems, but making audit *aware* of
> namespaces is on the todo list.

OK. Suppose I go out and rent a virtualized server with root access for
my web site. Turns out the company that is leasing me time used
containers as their method of virtualizing. my web site runs fine in a
container so no big deal. However, as a customer, I would want access
to the logs for my container directly in the container. As a matter of
fact, its a PCI-DSS requirement to have access to those logs.

I really think the audit system _has to be_ namespaced, somehow, for
compliance reasons.

-Steve