Date: Mon, 12 Mar 2018 11:05:29 +0000 From: Big Lebowski <spankthespam@gmail.com> To: Christian Peron <csjp@sqrt.ca> Cc: Eitan Adler <lists@eitanadler.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: auditing users within a jail Message-ID: <CAHcXP%2Bc4yS1TEzWieOAMhh5KzK25NP=zqjyXgF%2BWUnPQooDHdA@mail.gmail.com> In-Reply-To: <20180312031746.GB7114@cps-macbook-pro.lan> References: <CAF6rxgmWWx-vQ9UDk4Uyk9SfxXBNtirtCEW6bixpS-akkn%2BwCw@mail.gmail.com> <20180312031746.GB7114@cps-macbook-pro.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 12, 2018 at 3:17 AM, Christian Peron <csjp@sqrt.ca> wrote: > Hi Eitan, > > IIRC the short version is the audit related syscalls are currently > disabled in > jails. This means that a jailed process can not set audit configurations > for > themselves (or child processes). This also means things like auditd(8) > wont work. > > However, it is possible for processes in jails to produce audit records. > The processes just need an audit mask. Since audit masks (configurations) > are inherited across forks, you could set a global audit configuration for > the > jail using the following tool (or something like it): > > https://github.com/csjayp/setaudit (I just dropped it on to github) > > We could hack on it to make it more friendly for jails etc.. but this > should > get you going in the right direction. With a bit of work, it could be > possible > to "virtualize" the core audit objects so we could have functional per jail > auditing configurations, but certain care needs to be taken to ensure it > couldn't > override the config in the host (et al). > I suppose this could/should be added to the docs? :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHcXP%2Bc4yS1TEzWieOAMhh5KzK25NP=zqjyXgF%2BWUnPQooDHdA>