Audit, lxc containers and logged paths

Audit, lxc containers and logged paths

[Michele Giacomoli]

Hello everybody,

I need to watch folders inside unprivileged linux containers. From what 
I know it's not possible to run audit inside a lxc guest, so I set up 
audit inside the host to log access to dirs using absolute path (e.g. 
/var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a look at 
the logs I found that both the paths of the executable and the path that 
has been accessed are relative to the container (i.e. /bin/ls and 
/etc/passwd), so I don't have a clue of which is the container that 
generated the record. I could compare the uid that generated it whith 
the uids set for the containers, but it seems an ugly solution.

Can audit be configured for logging the absolute paths, or give me a 
hint of the container that generated the record?

Best regards
Michele

Re: Audit, lxc containers and logged paths

[Michele Giacomoli]

Sorry, forgot to mention:
Host is Ubuntu 14.04, while guests are different Ubuntu versions
Audit is installed from Ubuntu repos (version 1:2.3.2-2ubuntu1)

Thank you

Il 30/06/2016 19:27, Michele Giacomoli ha scritto:
> Hello everybody,
>
> I need to watch folders inside unprivileged linux containers. From 
> what I know it's not possible to run audit inside a lxc guest, so I 
> set up audit inside the host to log access to dirs using absolute path 
> (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but giving a 
> look at the logs I found that both the paths of the executable and the 
> path that has been accessed are relative to the container (i.e. 
> /bin/ls and /etc/passwd), so I don't have a clue of which is the 
> container that generated the record. I could compare the uid that 
> generated it whith the uids set for the containers, but it seems an 
> ugly solution.
>
> Can audit be configured for logging the absolute paths, or give me a 
> hint of the container that generated the record?
>
> Best regards
> Michele

Re: Audit, lxc containers and logged paths

[Richard Guy Briggs]

On 2016-06-30 19:27, Michele Giacomoli wrote:
> Hello everybody,

Hi Michele,

> I need to watch folders inside unprivileged linux containers. From
> what I know it's not possible to run audit inside a lxc guest, so I
> set up audit inside the host to log access to dirs using absolute
> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
> giving a look at the logs I found that both the paths of the
> executable and the path that has been accessed are relative to the
> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
> which is the container that generated the record. I could compare
> the uid that generated it whith the uids set for the containers, but
> it seems an ugly solution.

General topics surrounding this sort of issue have been discussed on
this list over the last couple of year.  The way things are currently
set up you are correct in the current way to address this problem.  The
kernel currently has no concept of containers.

> Can audit be configured for logging the absolute paths, or give me a
> hint of the container that generated the record?

There have been some proposals to address this sort of challenge, but
there is no consensus yet.  I'm doing a presentaiton at the Linux
Security Summit in Toronto this year in August that will touch on some
of these issues and how we might address them.  Some approaches document
the namespaces of events and others allow audit to run in the container.

(As to the follow-on reply, at this point the distribution is irrelevant
since it isn't in the upstream kernel yet.)

> Michele

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: Audit, lxc containers and logged paths

[Michele Giacomoli]

Got it. Thank you very much Richard

Il 30/06/2016 20:09, Richard Guy Briggs ha scritto:
> On 2016-06-30 19:27, Michele Giacomoli wrote:
>> Hello everybody,
> Hi Michele,
>
>> I need to watch folders inside unprivileged linux containers. From
>> what I know it's not possible to run audit inside a lxc guest, so I
>> set up audit inside the host to log access to dirs using absolute
>> path (e.g. /var/lib/lxc/mycontainer/rootfs/etc/) and it works, but
>> giving a look at the logs I found that both the paths of the
>> executable and the path that has been accessed are relative to the
>> container (i.e. /bin/ls and /etc/passwd), so I don't have a clue of
>> which is the container that generated the record. I could compare
>> the uid that generated it whith the uids set for the containers, but
>> it seems an ugly solution.
> General topics surrounding this sort of issue have been discussed on
> this list over the last couple of year.  The way things are currently
> set up you are correct in the current way to address this problem.  The
> kernel currently has no concept of containers.
>
>> Can audit be configured for logging the absolute paths, or give me a
>> hint of the container that generated the record?
> There have been some proposals to address this sort of challenge, but
> there is no consensus yet.  I'm doing a presentaiton at the Linux
> Security Summit in Toronto this year in August that will touch on some
> of these issues and how we might address them.  Some approaches document
> the namespaces of events and others allow audit to run in the container.
>
> (As to the follow-on reply, at this point the distribution is irrelevant
> since it isn't in the upstream kernel yet.)
>
>> Michele
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635