audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

RFE: add namespace IDs to audit records

Open pcmoore opened this issue 9 years ago • 17 comments

The lack of namespace identifiers in audit records can make interpreting audit records difficult in some configurations. Pay special attention to the fact that this issue is about namespace identifiers and not container identifiers; while this work will help track activities associated with containers, ultimately it is the container engine which will need to create/assign/manage the container identifier.

pcmoore avatar Dec 21 '16 22:12 pcmoore

The last upstream patchset from April 2015:

  • https://www.redhat.com/archives/linux-audit/2015-April/msg00014.html

pcmoore avatar Dec 21 '16 22:12 pcmoore

This issue should be about making a decision between implementing a set of namespace IDs to report in audit records, or a container ID to report in audit records. Implementing namespace IDs to report in each record will consume audit record bandwidth and is likely to be more useful as an auxiliary record in the case of a syscall to avoid making existing records longer and to make them easier to ignore should that information not interest log reviewers. The last patch was v7 (not v6 as quoted above) that used the ns inode and incorporated the change from proc to nsfs.

The alternative is to develop a new container ID settable by a container manager process with a new capability (CAP_CONTAINERID_SET?) that would be stored in the task_struct, inheritable by the task's children.

References: https://bugzilla.redhat.com/show_bug.cgi?id=1045666 Aristeu Rozanski first proposed an RFC of a set of namespace IDs 2013-03-18: https://www.redhat.com/archives/linux-audit/2013-March/msg00020.html (thread cont'd: https://www.redhat.com/archives/linux-audit/2013-March/msg00033.html https://www.redhat.com/archives/linux-audit/2014-January/msg00180.html) RGB: V1: https://www.redhat.com/archives/linux-audit/2013-July/msg00027.html omoris: https://www.redhat.com/archives/linux-audit/2013-December/msg00011.html v?: https://www.redhat.com/archives/linux-audit/2013-December/msg00112.html

  • Bill Roberts interest v?: https://www.redhat.com/archives/linux-audit/2014-April/msg00097.html v2: https://www.redhat.com/archives/linux-audit/2014-May/msg00049.html v3: https://www.redhat.com/archives/linux-audit/2014-May/msg00071.html v4: https://www.redhat.com/archives/linux-audit/2014-August/msg00036.html
  • Nicholas Dichtel https://www.redhat.com/archives/linux-audit/2014-August/msg00035.html v5: https://www.redhat.com/archives/linux-audit/2014-October/msg00030.html v6: https://www.redhat.com/archives/linux-audit/2015-April/msg00014.html v7: https://www.redhat.com/archives/linux-audit/2015-May/msg00018.html Scott Guland: https://www.redhat.com/archives/linux-audit/2015-November/msg00006.html LSS 2016 presentation: http://tricolour.ca/slides/lss-2016-audit-namespaces.pdf
  • https://www.youtube.com/watch?v=iYbZGoTNQ4A Aravinda Prasad: https://lkml.org/lkml/2017/1/11/209
  • https://lwn.net/Articles/699819/#Comments (thread start: https://lkml.org/lkml/2016/12/15/530)

rgbriggs avatar Jan 23 '17 09:01 rgbriggs

I attended to @pcmoore's talk about namespaces and auditing at DevConf.CZ. A unique container id would solve several a problem we are facing in Custodia (https://github.com/latchset/custodia). Custodia is a technology for end-to-end key management, or simply speaking an API to request secrets from a service. For containers we use Unix sockets for both transport and authentication. Right now we are required to use horrible hacks to map a PID (SO_PEERSEC and SO_PEERCRED) to a container id (regexp on /proc/PID/cgroup), https://speakerdeck.com/tiran/pycon-2016-file-descriptors-unix-sockets-and-other-posix-magic?slide=53

A proper namespace identifier and something like getsockopt(SOL_SOCKET, SO_CONTAINERID) would make our approach both simpler and more secure.

tiran avatar Jan 29 '17 11:01 tiran

Thanks @tiran, I did happen to see your tech-talk last week, so I have an idea of which you speak, but will need to go back and have a closer look to understand the details. Thanks for the feedback.

rgbriggs avatar Jan 30 '17 18:01 rgbriggs

thanks @rgbriggs I'm in Brno until the end of the week. Let's talk next week.

tiran avatar Jan 30 '17 20:01 tiran

@tiran If you can find a few moments to chat with @pcmoore while he is still there that might also be helpful.

rgbriggs avatar Jan 30 '17 20:01 rgbriggs

@npmccallum suggested to add a syscall to retrieve a container id by syscall. The approach has some potential benefits and drawbacks. it's more general usable but requires the service to run in the same PID namespace or host PID namespace.

tiran avatar Jan 31 '17 16:01 tiran

Here's a patchset from David Howells that makes an attempt at a kernel container object that would be useful for our use case: https://lkml.org/lkml/2017/5/22/645 The LWN article reviewing it: https://lwn.net/Articles/723561/

rgbriggs avatar May 29 '17 21:05 rgbriggs

Posted Kernel Audit Container ID proposal upstream: https://www.redhat.com/archives/linux-audit/2017-September/msg00082.html https://lkml.org/lkml/2017/9/13/383

rgbriggs avatar Sep 13 '17 17:09 rgbriggs

2017-10-12: Posted RFC(v2): Audit Kernel Container IDs https://lkml.org/lkml/2017/10/12/354 "non-Cc:" fork https://lkml.org/lkml/2017/10/17/689

rgbriggs avatar Feb 05 '18 03:02 rgbriggs

LWN coverage: https://lwn.net/Articles/740621/

rgbriggs avatar Feb 05 '18 03:02 rgbriggs

2018-01-09: Posted RFC(v3): Audit Kernel Container IDs https://www.redhat.com/archives/linux-audit/2018-January/msg00014.html https://lkml.org/lkml/2018/1/9/347

rgbriggs avatar Feb 05 '18 03:02 rgbriggs

2018-03-01: Posted RFC v1 patchset upstream: https://lkml.org/lkml/2018/3/1/813 https://www.redhat.com/archives/linux-audit/2018-March/msg00004.html

rgbriggs avatar Mar 05 '18 05:03 rgbriggs

Posted RFC v1 userspace patch for auditctl containerid filter support: https://www.redhat.com/archives/linux-audit/2018-March/msg00030.html https://lkml.org/lkml/2018/3/5/82

rgbriggs avatar Mar 05 '18 08:03 rgbriggs

Posted v2 patchset upstream: https://www.redhat.com/archives/linux-audit/2018-March/msg00110.html https://lkml.org/lkml/2018/3/16/191

Posted v2 userspace patchset upstream: https://www.redhat.com/archives/linux-audit/2018-March/msg00124.html https://lkml.org/lkml/2018/3/16/210

rgbriggs avatar Mar 16 '18 09:03 rgbriggs

Split off the audit container identifier work into new issues, leaving this one for namespace identifiers:

  • https://github.com/linux-audit/audit-kernel/issues/90 audit container identifier
  • https://github.com/linux-audit/audit-kernel/issues/91 audit container identifier filter
  • https://github.com/linux-audit/audit-kernel/issues/92 audit container identifiers in namespaces
  • https://github.com/linux-audit/audit-kernel/issues/93 multiple audit daemons
  • https://github.com/linux-audit/audit-kernel/issues/75 audit container identifier message routing
  • https://github.com/linux-audit/audit-userspace/issues/51 audit container identifier record support
  • https://github.com/linux-audit/audit-userspace/issues/40 audit container identifier filter
  • https://github.com/linux-audit/audit-testsuite/issues/64 audit container identifier testing

rgbriggs avatar Jun 06 '18 12:06 rgbriggs

Added userspace support issue: https://github.com/linux-audit/audit-userspace/issues/59

rgbriggs avatar Aug 02 '18 14:08 rgbriggs