add an auditd container

Two things to note here: we unfortunately can't just exec audit, because something needs to load the rules in beforehand. Second, it also dies if it can't re-nice itself, so we have to give it CAP_SYS_NICE as well as the audit caps. I didn't add this to the default linuxkit.yml because the linuxkit/audit repo doesn't exist yet, but we should probably (?) do that. Additionally, we should provide the kernel parameter audit=1, otherwise according to auditd's man pages, we can't audit some early tasks. Closes #52 Signed-off-by: Tycho Andersen <tycho@docker.com>
2025-09-19 23:34:19 +00:00 · 2017-06-20 10:50:50 -07:00
parent 31f356fe0e
commit 44cbd38650
5 changed files with 81 additions and 0 deletions
--- a/pkg/auditd/Dockerfile
+++ b/pkg/auditd/Dockerfile
@@ -0,0 +1,29 @@
+FROM linuxkit/alpine:cdb4e4d12ada4071a6c6a60bf4c14d35171ffae8 AS build
+RUN apk add abuild gcc git
+
+ADD build.sh /
+RUN adduser -D -G abuild builder && sudo -u builder /build.sh
+
+FROM linuxkit/alpine:cdb4e4d12ada4071a6c6a60bf4c14d35171ffae8 AS mirror
+COPY --from=build /home/builder/*apk /
+
+RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
+RUN apk add --initdb -p /out alpine-baselayout tini
+RUN apk add --allow-untrusted -p /out /*apk
+
+# Remove apk residuals. We have a read-only rootfs, so apk is of no use.
+RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
+
+FROM scratch
+ENTRYPOINT []
+CMD []
+WORKDIR /
+COPY --from=mirror /out/ /
+
+COPY auditd.conf /etc/audit
+COPY audit.rules /etc/audit
+COPY runaudit.sh /usr/bin
+
+CMD ["/sbin/tini", "/usr/bin/runaudit.sh"]
+
+LABEL org.mobyproject.config='{"pid": "host", "binds": ["/var/log:/var/log"], "capabilities": ["CAP_AUDIT_CONTROL", "CAP_AUDIT_READ", "CAP_AUDIT_WRITE", "CAP_SYS_NICE"]}'