Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759193AbbEEQHB (ORCPT ); Tue, 5 May 2015 12:07:01 -0400 Received: from mx1.redhat.com ([209.132.183.28]:40874 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2993185AbbEEObV (ORCPT ); Tue, 5 May 2015 10:31:21 -0400 Date: Tue, 5 May 2015 10:31:20 -0400 From: Aristeu Rozanski To: Steve Grubb Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com, eparis@parisplace.org, pmoore@redhat.com, ebiederm@xmission.com, serge@hallyn.com, zohar@linux.vnet.ibm.com, viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH V6 05/10] audit: log creation and deletion of namespace instances Message-ID: <20150505143119.GA4350@redhat.com> References: <11270b0b1afd0a25b108915673e1e1b38dfeeafa.1429252659.git.rgb@redhat.com> <2487286.y6vyJ9A3er@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2487286.y6vyJ9A3er@x2> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2504 Lines: 51 Hi Steve, On Tue, May 05, 2015 at 10:22:32AM -0400, Steve Grubb wrote: > The requirements for auditing of containers should be derived from VPP. In it, > it asks for selectable auditing, selective audit, and selective audit review. > What this means is that we need the container and all its children to have one > identifier that is inserted into all the events that are associated with the > container. > > With this, its possible to do a search for all events related to a container. > Its possible to exclude events from a container. Its possible to not get any > events. > > The requirements also call out for the identification of the subject. This > means that the event should be bound to a syscall such as clone, setns, or > unshare. > > Also, any user space events originating inside the container needs to have the > container ID added to the user space event - just like auid and session id. > > Recording each instance of a name space is giving me something that I cannot > use to do queries required by the security target. Given these events, how do > I locate a web server event where it accesses a watched file? That > authentication failed? That an update within the container failed? > > The requirements are that we have to log the creation, suspension, migration, > and termination of a container. The requirements are not on the individual > name space. > > Maybe I'm missing how these events give me that. But I'd like to hear how I > would be able to meet requirements with these 12 events. what about cases you don't use lxc, libvirt to create namespaces? It's easier if the logging is done by namespaces and in case they're created by any container manager, it can generate a new event notifying it created a container named "foo" with these namespaces: x, y, z, w and from that you can piece together everything that happened. Userspace tools can change to adapt to using namespaces and the idea of container to make it easier to lookup for events instead of relying on a number that might not be there (think someone using unshare, ip netns, ...). It was discussed in the past and having the concept of "container" in kernel space and it's not going to happen, so userspace should deal with it. -- Aristeu -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/