Re: "service auditd start" fails inside a container
Thank you for your information. Steve Grubb 于2023年4月29日周六 02:49写道: > On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote: > > May I ask if Auditd supports Docker? Thank you > > https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html > > There is no active work that I know of to put auditd in a container. It's > libraries are used by many applications. So, I don't know what use it > would > be to containerize it. > > And if you are asking if auditd can audit events in a container, I think > that > answer is also no. > > -Steve > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: "service auditd start" fails inside a container
On 2023-05-01 11:01, Daniel Walsh wrote: > On 4/28/23 14:48, Steve Grubb wrote: > > On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote: > > > May I ask if Auditd supports Docker? Thank you > > > https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html > > There is no active work that I know of to put auditd in a container. It's > > libraries are used by many applications. So, I don't know what use it would > > be to containerize it. > > > > And if you are asking if auditd can audit events in a container, I think > > that > > answer is also no. > > > > -Steve > > I don't believe there is anything to prevent auditd from running within a > container. You can turn up and down the container to many different levels > or security separation. There will be some security things that need to be > turned off. > > Running a contianer privileged will turn off almost everything form a > security perspective, and then running with some of the namespaces shared > with the host. > > Something like > > podman run --privileged --network=host --pid=host ... auditimage > > Should work. > > Later tightening up the security should also be possible, but you would need > to know what auditd needs access to. > > With all that said, I am not sure what you are trying to achieve by > containerizing the audit daemon. Audit currently requires access to the root userspace and pid namespaces, so if the container shares those with the host, it should run. There are work items to address this, but they haven't been started in ernest yet: https://github.com/linux-audit/audit-kernel/issues/93 dependancies: https://github.com/linux-audit/audit-kernel/issues/90 https://github.com/linux-audit/audit-kernel/issues/91 https://github.com/linux-audit/audit-kernel/issues/92 https://github.com/linux-audit/audit-kernel/issues/75 - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: "service auditd start" fails inside a container
On 4/28/23 14:48, Steve Grubb wrote: On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote: May I ask if Auditd supports Docker? Thank you https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html There is no active work that I know of to put auditd in a container. It's libraries are used by many applications. So, I don't know what use it would be to containerize it. And if you are asking if auditd can audit events in a container, I think that answer is also no. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit I don't believe there is anything to prevent auditd from running within a container. You can turn up and down the container to many different levels or security separation. There will be some security things that need to be turned off. Running a contianer privileged will turn off almost everything form a security perspective, and then running with some of the namespaces shared with the host. Something like podman run --privileged --network=host --pid=host ... auditimage Should work. Later tightening up the security should also be possible, but you would need to know what auditd needs access to. With all that said, I am not sure what you are trying to achieve by containerizing the audit daemon. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: "service auditd start" fails inside a container
On Friday, April 28, 2023 3:54:32 AM EDT 江杨 wrote: > May I ask if Auditd supports Docker? Thank you > https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html There is no active work that I know of to put auditd in a container. It's libraries are used by many applications. So, I don't know what use it would be to containerize it. And if you are asking if auditd can audit events in a container, I think that answer is also no. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: Re: "service auditd start" fails inside a container
On Fri, Apr 28, 2023 at 8:25 AM 江杨 wrote: > > May I ask if Auditd supports Docker? Thank you > https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html Have you tried the configuration changes suggested in the mailing list post you linked above? -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: Re: "service auditd start" fails inside a container
May I ask if Auditd supports Docker? Thank you https://listman.redhat.com/archives/linux-audit/2018-July/msg00078.html -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: "service auditd start" fails inside a container
On Thursday, July 19, 2018 2:16:39 PM EDT Venkata Neehar Kurukunda wrote: > Hi, > > I am writing this email to report an issue while using audit inside a > docker container (with CentOS 7.5 as base layer). It installs fine, but, > when I try to do service auditd start, it fails with the message" > "Redirecting to /bin/systemctl start auditd.service Job for auditd.service > failed because the control process exited with error code. See "systemctl > status auditd.service" and "journalctl -xe" for details." > > The output of the command, systemctl status auditd.service, is: > " > ● auditd.service - Security Auditing Service >Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor > preset: enabled) Active: failed (Result: exit-code) since Thu 2018-07-19 > 18:12:50 UTC; 2min 8s ago Docs: man:auditd(8) >https://github.com/linux-audit/audit-documentation > Process: 12119 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE) > Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Starting Security Auditing > Service... Jul 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Started > dispatcher: /sbin/audispd pid: 12122 Jul 19 18:12:50 wanly1.fyre.ibm.com > auditd[12120]: Error sending status request (Operation not permitted) Jul > 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Error sending enable > request (Operation not permitted) Jul 19 18:12:50 wanly1.fyre.ibm.com > systemd[1]: auditd.service: control process exited, code=exited status=1 > Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Failed to start Security > Auditing Service. Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Unit > auditd.service entered failed state. Jul 19 18:12:50 wanly1.fyre.ibm.com > systemd[1]: auditd.service failed." > > Can someone please help me figure this issue out. At the moment, auditd can be used inside a container only for aggregating logs from other systems. It cannot be used to get events relevant to the cotainer or the host OS. If you want to aggregate only, then set local_events=no in auditd.conf. Container support is still under development. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
"service auditd start" fails inside a container
Hi,I am writing this email to report an issue while using audit inside a docker container (with CentOS 7.5 as base layer). It installs fine, but, when I try to do service auditd start, it fails with the message" "Redirecting to /bin/systemctl start auditd.serviceJob for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details."The output of the command, systemctl status auditd.service, is:" ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2018-07-19 18:12:50 UTC; 2min 8s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 12119 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE) Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Starting Security Auditing Service...Jul 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Started dispatcher: /sbin/audispd pid: 12122Jul 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Error sending status request (Operation not permitted)Jul 19 18:12:50 wanly1.fyre.ibm.com auditd[12120]: Error sending enable request (Operation not permitted)Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: auditd.service: control process exited, code=exited status=1Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Failed to start Security Auditing Service.Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: Unit auditd.service entered failed state.Jul 19 18:12:50 wanly1.fyre.ibm.com systemd[1]: auditd.service failed."Can someone please help me figure this issue out.Thank you.Best,Venkata Neehar KurukundaSoftware DeveloperIBM Db2 Warehouse -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit