support configuring audit rules from bootstrap container #3831
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
Closes #3808
Description of changes:
Run bootstrap containers in the host PID namespace, and with
CAP_AUDIT_CONTROL
, so that audit rules can be configured.To facilitate debugging, associate the journal entries to the matching host or bootstrap container by setting the
SyslogIdentifier
field. This was helpful when troubleshooting issues with myauditctl
container.Testing done:
When adding path-based watches, there's an additional wrinkle in that the path will be based on the current root, which will be the root of the bootstrap container's mount namespace.
To work around this, it's necessary to invoke auditctl like this:
Or like this:
It's also a good idea to clear out previous rules (
auditctl -D
) so that the default rules don't filter out events of interest. Syscall auditing is disabled by default, and non-SELinux related messages are discarded.With that in mind, I used the following script in my bootstrap container:
This produced the following output at launch:
Afterwards, the rules were visible on the host and
/etc/passwd
writes were logged.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.