On 15/11/03, Gulland, Scott A wrote: > Does the audit framework work with linux namespaces?
The quick answer is "Some". I am not aware of any restrictions on running audit services in MNT, UTS or IPC namespaces. The upstream kernel has support for running auditd in any network namespace. Additionally, processes with CAP_AUDIT_WRITE (generally to send AUDIT_USER_* class messages) can send from any PID namespace, but auditd is not permitted to run anywhere other than in the initial PID namespace. There is no support for any audit services from any USER namespace other than initial due to serious concerns with security, policy and experience still accumulating in that area. There are expectations that this latter will be supported in the future, but that needs planning, execution and thorough testing. I hope this helps answer your question. I note you didn't ask about audit working in containers, which is a harder question to answer clearly due to the definition of "container". The last point made in the paragraph above will get us closer to supporting audit services in Linux containers. > Scott Gulland - RGB -- Richard Guy Briggs <rbri...@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
