docker - 在centos docker容器内运行auditd时出错 : "Unable to set initial audit startup state to ' enable', 退出”

Question

我正在尝试创建一个启用了 systemd 的 docker 容器，并在其上安装 auditd。

我正在使用 dockerhub 中提供的标准 centos/systemd 镜像。但是当我尝试开始审核时，它失败了。

以下是我创建并进入 docker 容器所执行的命令列表:

docker run -d --rm --privileged --name systemd -v /sys/fs/cgroup:/sys/fs/cgroup:ro centos/systemd
docker exec -it systemd bash

现在，在 docker 容器内:

yum install audit
systemctl start auditd

我收到以下错误:

Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.

然后我运行:

 systemctl status auditd.service

我得到了这个信息:

auditd[182]: Error sending status request (Operation not permitted)
auditd[182]: Error sending enable request (Operation not permitted)
auditd[182]: Unable to set initial audit startup state to 'enable', exiting
auditd[182]: The audit daemon is exiting.
auditd[181]: Cannot daemonize (Success)
auditd[181]: The audit daemon is exiting.
systemd[1]: auditd.service: control process exited, code=exited status=1
systemd[1]: Failed to start Security Auditing Service.
systemd[1]: Unit auditd.service entered failed state.
systemd[1]: auditd.service failed.

你们知道为什么会发生这种情况吗？

谢谢。

Answer 1

查看此discussion :

At the moment, auditd can be used inside a container only for aggregatinglogs from other systems. It cannot be used to get events relevant to thecontainer or the host OS. If you want to aggregate only, then setlocal_events=no in auditd.conf.

Container support is still under development.

另请参阅this :

local_eventsThis yes/no keyword specifies whether or not to include local events. Normally you want local events so the default value is yes. Cases where you would set this to no is when you want to aggregate events only from the network. At the moment, this is useful if the audit daemon is running in a container. This option can only be set once at daemon start up. Reloading the config file has no effect.

所以至少在Date: Thu, 19 Jul 2018 14:53:32 -0400，这个功能不支持，不得不等待。