Audit Framework and namespaces
Richard Guy Briggs
rgb at redhat.com
Tue Nov 3 19:44:25 UTC 2015
On 15/11/03, Gulland, Scott A wrote:
> Does the audit framework work with linux namespaces?
The quick answer is "Some".
I am not aware of any restrictions on running audit services in MNT, UTS
or IPC namespaces. The upstream kernel has support for running auditd
in any network namespace. Additionally, processes with CAP_AUDIT_WRITE
(generally to send AUDIT_USER_* class messages) can send from any PID
namespace, but auditd is not permitted to run anywhere other than in the
initial PID namespace. There is no support for any audit services from
any USER namespace other than initial due to serious concerns with
security, policy and experience still accumulating in that area. There
are expectations that this latter will be supported in the future, but
that needs planning, execution and thorough testing.
I hope this helps answer your question. I note you didn't ask about
audit working in containers, which is a harder question to answer
clearly due to the definition of "container". The last point made in
the paragraph above will get us closer to supporting audit services in
Linux containers.
> Scott Gulland
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list