1266307 – Capture information about the remote user connecting over socket in /run/docker

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1266307 - Capture information about the remote user connecting over socket in /run/docker

Summary: Capture information about the remote user connecting over socket in /run/docker

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	docker
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1265409 1332016
Blocks:	docker-1.10
TreeView+	depends on / blocked

Reported:	2015-09-25 02:40 UTC by Subhendu Ghosh
Modified:	2019-03-06 02:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-12 15:16:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1034	0	normal	SHIPPED_LIVE	Moderate: docker security, bug fix, and enhancement update	2016-05-12 19:15:01 UTC

Description Subhendu Ghosh 2015-09-25 02:40:14 UTC

Description of problem:

To improve audit capabilities - determine user connecting over the docker socket

Comment 1 Daniel Walsh 2015-09-25 13:43:59 UTC

docker-1.9 will have logging and auditing of docker administrator/user actions, separate from the actions inside of the container.

Comment 2 Daniel Walsh 2015-09-29 14:55:30 UTC

Fixed in docker-1.9

Comment 8 Luwen Su 2016-05-03 15:39:13 UTC

works now per the steps from comment#4 in docker-1.9.1-39.el7.x86_64

logs would be a little bit long, put it in the end just in case of reference

type=VIRT_CONTROL msg=audit(1462289859.652:17030): pid=18410 uid=0 auid=0 ses=2110 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='user=? auid=? exe=? hostname=? reason=api op=create vm=? vm-pid=?  exe="/usr/bin/docker-current" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_CONTROL msg=audit(1462289859.656:17031): pid=18410 uid=0 auid=0 ses=2110 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=create vm=? vm-pid=? user=? auid=? exe=? hostname=? reason=api  exe="/usr/bin/docker-current" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_CONTROL msg=audit(1462289863.817:17032): pid=18410 uid=0 auid=0 ses=2110 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='user=? auid=? exe=? hostname=? reason=api op=create vm=? vm-pid=?  exe="/usr/bin/docker-current" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_CONTROL msg=audit(1462289866.277:17033): pid=18410 uid=0 auid=0 ses=2110 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='reason=api op=attach vm=busybox vm-pid=0 user=? auid=? exe=echo hostname=1331d87c1dc9  exe="/usr/bin/docker-current" hostname=? addr=? terminal=pts/0 res=success'
type=VIRT_CONTROL msg=audit(1462289866.281:17034): pid=18410 uid=0 auid=0 ses=2110 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='reason=api op=start vm=busybox vm-pid=0 user=? auid=? exe=echo hostname=1331d87c1dc9  exe="/usr/bin/docker-current" hostname=? addr=? terminal=pts/0 res=success'
type=ANOM_PROMISCUOUS msg=audit(1462289866.405:17035): dev=veth8439621 prom=256 old_prom=0 auid=0 uid=0 gid=0 ses=2110
type=SYSCALL msg=audit(1462289866.405:17035): arch=c000003e syscall=44 success=yes exit=40 a0=12 a1=c208be9200 a2=28 a3=0 items=0 ppid=17335 pid=18419 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2110 comm="docker-current" exe="/usr/bin/docker-current" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=filter family=2 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=raw family=2 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=security family=2 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=mangle family=2 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=nat family=2 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=filter family=10 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=raw family=10 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=security family=10 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=mangle family=10 entries=0
type=NETFILTER_CFG msg=audit(1462289866.772:17036): table=nat family=10 entries=0
type=SYSCALL msg=audit(1462289866.772:17036): arch=c000003e syscall=56 success=yes exit=18514 a0=6c020011 a1=0 a2=0 a3=0 items=0 ppid=17335 pid=18419 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2110 comm="docker-current" exe="/usr/bin/docker-current" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=VIRT_CONTROL msg=audit(1462289866.975:17037): pid=18410 uid=0 auid=0 ses=2110 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='user=? auid=? exe=echo hostname=1331d87c1dc9 reason=api op=resize vm=busybox vm-pid=18514  exe="/usr/bin/docker-current" hostname=? addr=? terminal=pts/0 res=success'
type=ANOM_PROMISCUOUS msg=audit(1462289867.395:17038): dev=veth8439621 prom=0 old_prom=256 auid=0 uid=0 gid=0 ses=2110
type=SYSCALL msg=audit(1462289867.395:17038): arch=c000003e syscall=44 success=yes exit=32 a0=14 a1=c208cd69a0 a2=20 a3=0 items=0 ppid=17335 pid=18419 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2110 comm="docker-current" exe="/usr/bin/docker-current" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 10 errata-xmlrpc 2016-05-12 15:16:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1034.html

Note You need to log in before you can comment on or make changes to this bug.