1000's of audit message

L

lweidig

Active Member
Oct 20, 2011
104
2
38
Sheboygan, WI
Our dmesg is filled with 1000's of these messages on one of our cluster machines:

Code: 
[786621.940755] audit: type=1400 audit(1454507557.790:1241952): apparmor="DENIED"
 operation="ptrace" profile="lxc-container-default" pid=29054 comm="ps" requested_mask="trace"
 denied_mask="trace" peer="unconfined"

How do we go about figuring out which container is causing this (NO we cannot shut them all down and start one at a time, this is production) and then in the container the reason?

Thanks!
 
Looks like either a host process (unconfined) entered the container's PID namespace, or something executed 'ps' on the host with the lxc-container-default profile.
Or someone passed a filehandle to a trace-permission protected /proc file to the container somehow...
None of these things should happen... if you're using check_mk (like in the other thread) you should probably ping the check_mk devs.
 
Just checked a bunch of our servers and the messages are gone. So you might try the solution from the other thread. And please don't run anything with unconfined profiles like someone might suggest just make things work/gone/easy... ;)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back