RFE: improve filtering events by exe for containers

[RChernov]

In current version of auditd filtering by exe field in audit.rules doesn't work for executables from containers.

As I can see it's due to the logic of the audit_exe_compare() function. It compares dev and inode for files, not fullpath. At the same time in events for containers I see fullpath to an excutable file relative to container file system tree, not host file system.

type=SYSCALL msg=audit(1688638681.978:8214739): arch=c000003e syscall=288 success=no exit=-11 a0=7 a1=7ffc92a75c50 a2=7ffc92a75c2c a3=80000 items=0 ppid=1422 pid=34388 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/local/bin/python3.8" subj=docker-default (enforce) key="pt_siem_api_accept" ARCH=x86_64 SYSCALL=accept4 AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

Of course I can find fullpath in OverlayFS (for Docker) to file and set it in -F exe (and it works). But I have to do this for all current and new containers. It's not good user experience at all.

Is it possible to do something with it?

[pcmoore]

Currently the Linux Kernel's audit subsystem is not container/namespace aware and thus all filtering decisions must be made in the context of the initial namespace.

[pcmoore]

While issue #90 is related, additional work beyond the audit container ID support would be needed to fully support filtering rooted in an individual namespace.