Reputation: 1804
Error running auditd inside centos docker container: "Unable to set initial audit startup state to 'enable', exiting"
I'm trying to create a docker container with systemd enabled and install auditd on it.
I'm using the standard centos/systemd image provided in dockerhub.
But when I'm trying to start audit, it fails.
Here is the list of commands that I have done to create and get into the docker container:
docker run -d --rm --privileged --name systemd -v /sys/fs/cgroup:/sys/fs/cgroup:ro centos/systemd
docker exec -it systemd bash
Now, inside the docker container:
yum install audit
systemctl start auditd
I'm receiving the following error:
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.
Then I run:
systemctl status auditd.service
And I'm getting this info:
auditd[182]: Error sending status request (Operation not permitted)
auditd[182]: Error sending enable request (Operation not permitted)
auditd[182]: Unable to set initial audit startup state to 'enable', exiting
auditd[182]: The audit daemon is exiting.
auditd[181]: Cannot daemonize (Success)
auditd[181]: The audit daemon is exiting.
systemd[1]: auditd.service: control process exited, code=exited status=1
systemd[1]: Failed to start Security Auditing Service.
systemd[1]: Unit auditd.service entered failed state.
systemd[1]: auditd.service failed.
Do you guys have any ideas on why this is happening?
Thank you.
Upvotes: 2
Views: 5287
Answers (1)
Reputation: 31564
See this discussion:
At the moment, auditd can be used inside a container only for aggregating logs from other systems. It cannot be used to get events relevant to the container or the host OS. If you want to aggregate only, then set local_events=no in auditd.conf.
Container support is still under development.
Also see this:
local_events This yes/no keyword specifies whether or not to include local events. Normally you want local events so the default value is yes. Cases where you would set this to no is when you want to aggregate events only from the network. At the moment, this is useful if the audit daemon is running in a container. This option can only be set once at daemon start up. Reloading the config file has no effect.
So at least at Date: Thu, 19 Jul 2018 14:53:32 -0400, this feature not support, had to wait.
Upvotes: 5
Related Questions
- Enable command line audit logging in docker container - kubernetes
- Restarting auditd service gives dependency error
- docker.service: Service lacks both ExecStart= and ExecStop= setting. Refusing
- Operation not permitted systemctl with docker + systemctl
- Docker CentOS systemctl not permitted
- Systemd Unit is throwing an error when a docker container is being run with AWS logging driver configs
- Can't use `systemd-cat` inside Docker container
- running auditd in docker container
- docker fails to start
- docker run from systemd service starts but exits immediately, and restarts, but docker run from shell works fine