Discussion:
Can auditd run in lxc on centos7
(too old to reply)
Bob Beck
2018-04-05 16:26:15 UTC
Permalink
Raw Message
Hi,



I am attempting to run auditd in centos7 inside a lxc container.



Here is the log I get when I run auditd -f



onfig file /etc/audit/auditd.conf opened for parsing

log_file_parser called with: /var/log/audit.log

log_format_parser called with: RAW

log_group_parser called with: root

priority_boost_parser called with: 4

flush_parser called with: INCREMENTAL

freq_parser called with: 20

num_logs_parser called with: 5

qos_parser called with: lossy

dispatch_parser called with: /usr/sbin/audispd

name_format_parser called with: NONE

max_log_size_parser called with: 6

max_log_size_action_parser called with: ROTATE

space_left_parser called with: 75

space_action_parser called with: SYSLOG

action_mail_acct_parser called with: root

admin_space_left_parser called with: 50

admin_space_left_action_parser called with: SUSPEND

disk_full_action_parser called with: SUSPEND

disk_error_action_parser called with: SUSPEND

tcp_listen_queue_parser called with: 5

tcp_max_per_addr_parser called with: 1

tcp_client_max_idle_parser called with: 0

enable_krb5_parser called with: no

GSSAPI support is not enabled, ignoring value at line 30

krb5_principal_parser called with: auditd

GSSAPI support is not enabled, ignoring value at line 31

Started dispatcher: /usr/sbin/audispd pid: 3028

type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success

config_manager init complete

Error sending status request (Connection refused)

Error sending enable request (Connection refused)

type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=failed

Unable to set initial audit startup state to 'enable', exiting

The audit daemon is exiting.

Error setting audit daemon pid (Connection refused)
Steve Grubb
2018-04-05 16:37:26 UTC
Permalink
Raw Message
Post by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
It can run inside a container only as an aggregating server. Meaning that it
cannot audit the host system, but rather collect logs from remote systems. To
do this, set local_events = no. This was added in audit-2.5.2.
Post by Bob Beck
Here is the log I get when I run auditd -f
config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
Yep. That is what you get when trying to audit the host from a unprivileged
container. Container support in the kernel is still an ongoing project.

-Steve
Bob Beck
2018-04-05 16:52:24 UTC
Permalink
Raw Message
Thanks for your quick reply.

Do you mean that it logs events from within the 1 specific lxc container
in which it is running but not the host VM?

Bob

-----Original Message-----
From: Steve Grubb [mailto:***@redhat.com]
Sent: Thursday, April 05, 2018 12:37 PM
To: linux-***@redhat.com
Cc: Bob Beck
Subject: Re: Can auditd run in lxc on centos7
Post by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
It can run inside a container only as an aggregating server. Meaning that it
cannot audit the host system, but rather collect logs from remote systems.
To do this, set local_events = no. This was added in audit-2.5.2.
Post by Bob Beck
Here is the log I get when I run auditd -f
config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295
subj=system_u:system_r:init_t res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
Yep. That is what you get when trying to audit the host from a unprivileged
container. Container support in the kernel is still an ongoing project.

-Steve
Richard Guy Briggs
2018-04-05 16:57:57 UTC
Permalink
Raw Message
Post by Bob Beck
Thanks for your quick reply.
Do you mean that it logs events from within the 1 specific lxc container
in which it is running but not the host VM?
No. It can only receive audit events from another audit daemon over a
network socket.

There is active work being done to try to solve your problem, but it
isn't ready yet.
Post by Bob Beck
Bob
-----Original Message-----
Sent: Thursday, April 05, 2018 12:37 PM
Cc: Bob Beck
Subject: Re: Can auditd run in lxc on centos7
Post by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
It can run inside a container only as an aggregating server. Meaning that it
cannot audit the host system, but rather collect logs from remote systems.
To do this, set local_events = no. This was added in audit-2.5.2.
Post by Bob Beck
Here is the log I get when I run auditd -f
config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295
subj=system_u:system_r:init_t res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
Yep. That is what you get when trying to audit the host from a unprivileged
container. Container support in the kernel is still an ongoing project.
-Steve
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Steve Grubb
2018-04-05 18:28:18 UTC
Permalink
Raw Message
Post by Bob Beck
Thanks for your quick reply.
Do you mean that it logs events from within the 1 specific lxc container
in which it is running but not the host VM?
Nope. It would only work as an aggregating server. Meaning it can collect
logs from remote systems. But it cannot collect anything itself. Not from the
container nor the host kernel. It can only log what comes across a tcp/ip
connection from another auditd. This is a limitation of the kernel - which is
being worked on currently.

-Steve
Post by Bob Beck
-----Original Message-----
Sent: Thursday, April 05, 2018 12:37 PM
Cc: Bob Beck
Subject: Re: Can auditd run in lxc on centos7
Post by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
It can run inside a container only as an aggregating server. Meaning that
it cannot audit the host system, but rather collect logs from remote
systems. To do this, set local_events = no. This was added in
audit-2.5.2.
Post by Bob Beck
Here is the log I get when I run auditd -f
config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295
subj=system_u:system_r:init_t res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
Yep. That is what you get when trying to audit the host from a unprivileged
container. Container support in the kernel is still an ongoing project.
-Steve
John Jasen
2018-04-09 19:52:23 UTC
Permalink
Raw Message
As points of clarification:

would audit on the host have visibility into the container? (for
example, logging execve calls from certain users)

would pam_tty_audit running the host still be able to collect data upon
entering the container?

Thanks!
Post by Steve Grubb
Post by Bob Beck
Thanks for your quick reply.
Do you mean that it logs events from within the 1 specific lxc container
in which it is running but not the host VM?
Nope. It would only work as an aggregating server. Meaning it can collect
logs from remote systems. But it cannot collect anything itself. Not from the
container nor the host kernel. It can only log what comes across a tcp/ip
connection from another auditd. This is a limitation of the kernel - which is
being worked on currently.
-Steve
Post by Bob Beck
-----Original Message-----
Sent: Thursday, April 05, 2018 12:37 PM
Cc: Bob Beck
Subject: Re: Can auditd run in lxc on centos7
Post by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
It can run inside a container only as an aggregating server. Meaning that
it cannot audit the host system, but rather collect logs from remote
systems. To do this, set local_events = no. This was added in
audit-2.5.2.
Post by Bob Beck
Here is the log I get when I run auditd -f
config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t
res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295
subj=system_u:system_r:init_t res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
Yep. That is what you get when trying to audit the host from a unprivileged
container. Container support in the kernel is still an ongoing project.
-Steve
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Richard Guy Briggs
2018-04-09 20:59:07 UTC
Permalink
Raw Message
Post by John Jasen
would audit on the host have visibility into the container? (for
example, logging execve calls from certain users)
Yes, but filenames and inodes may not make sense if the filesystem isn't
mounted in the host mount namespace.
Post by John Jasen
would pam_tty_audit running the host still be able to collect data upon
entering the container?
Yes, I believe so.
Post by John Jasen
Thanks!
Post by Steve Grubb
Post by Bob Beck
Thanks for your quick reply.
Do you mean that it logs events from within the 1 specific lxc container
in which it is running but not the host VM?
Nope. It would only work as an aggregating server. Meaning it can collect
logs from remote systems. But it cannot collect anything itself. Not from the
container nor the host kernel. It can only log what comes across a tcp/ip
connection from another auditd. This is a limitation of the kernel - which is
being worked on currently.
-Steve
Post by Bob Beck
-----Original Message-----
Sent: Thursday, April 05, 2018 12:37 PM
Cc: Bob Beck
Subject: Re: Can auditd run in lxc on centos7
Post by Bob Beck
Hi,
I am attempting to run auditd in centos7 inside a lxc container.
It can run inside a container only as an aggregating server. Meaning that
it cannot audit the host system, but rather collect logs from remote
systems. To do this, set local_events = no. This was added in
audit-2.5.2.
Post by Bob Beck
Here is the log I get when I run auditd -f
config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 30
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 31
Started dispatcher: /usr/sbin/audispd pid: 3028
type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4
format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295
pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=success
config_manager init complete
Error sending status request (Connection refused)
Error sending enable request (Connection refused)
type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enable
auid=4294967295 pid=3026 uid=0 ses=4294967295
subj=system_u:system_r:init_t res=failed
Unable to set initial audit startup state to 'enable', exiting
The audit daemon is exiting.
Error setting audit daemon pid (Connection refused)
Yep. That is what you get when trying to audit the host from a unprivileged
container. Container support in the kernel is still an ongoing project.
-Steve
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Loading...