Open RChernov opened 1 year ago
Currently the Linux Kernel's audit subsystem is not container/namespace aware and thus all filtering decisions must be made in the context of the initial namespace.
While issue https://github.com/linux-audit/audit-kernel/issues/90 is related, additional work beyond the audit container ID support would be needed to fully support filtering rooted in an individual namespace.
In current version of auditd filtering by
exe
field inaudit.rules
doesn't work for executables from containers.As I can see it's due to the logic of the
audit_exe_compare()
function. It comparesdev
andinode
for files, not fullpath. At the same time in events for containers I see fullpath to an excutable file relative to container file system tree, not host file system.type=SYSCALL msg=audit(1688638681.978:8214739): arch=c000003e syscall=288 success=no exit=-11 a0=7 a1=7ffc92a75c50 a2=7ffc92a75c2c a3=80000 items=0 ppid=1422 pid=34388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/local/bin/python3.8" subj=docker-default (enforce) key="pt_siem_api_accept" ARCH=x86_64 SYSCALL=accept4 AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Of course I can find fullpath in OverlayFS (for Docker) to file and set it in
-F exe
(and it works). But I have to do this for all current and new containers. It's not good user experience at all.Is it possible to do something with it?