containers.conf: add event_audit_container_create

Add an option to enable container-create events for auditing. The event should include a JSON payload with detailed information about the container. Jira: https://issues.redhat.com/browse/RUN-1702 Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
containers · Nov 23, 2022 · 039d6cf · 039d6cf
1 parent e120413
commit 039d6cf
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -273,6 +273,11 @@ type EngineConfig struct {
 	// EventsLogger determines where events should be logged.
 	EventsLogger string `toml:"events_logger,omitempty"`
 
+	// EventsAuditContainerCreate creates an additional audit event when
+	// creating a container.  The event includes a JSON payload with
+	// detailed information about the container.
+	EventsAuditContainerCreate bool `toml:"events_audit_container_create,omitempty"`
+
 	// graphRoot internal stores the location of the graphroot
 	graphRoot string
 

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -35,6 +35,7 @@ var _ = Describe("Config", func() {
 			gomega.Expect(defaultConfig.Engine.InfraImage).To(gomega.BeEquivalentTo(""))
 			gomega.Expect(defaultConfig.Engine.ImageVolumeMode).To(gomega.BeEquivalentTo("bind"))
 			gomega.Expect(defaultConfig.Engine.SSHConfig).To(gomega.ContainSubstring("/.ssh/config"))
+			gomega.Expect(config.Engine.EventsAuditContainerCreate).To(gomega.BeFalse())
 			path, err := defaultConfig.ImageCopyTmpDir()
 			gomega.Expect(err).To(gomega.BeNil())
 			gomega.Expect(path).To(gomega.BeEquivalentTo("/var/tmp"))
@@ -446,6 +447,7 @@ image_copy_tmp_dir="storage"`
 			gomega.Expect(config.Engine.PlatformToOCIRuntime).To(gomega.Equal(PlatformToOCIRuntimeMap))
 			gomega.Expect(config.Engine.ImageDefaultFormat).To(gomega.Equal("v2s2"))
 			gomega.Expect(config.Engine.EventsLogFilePath).To(gomega.BeEquivalentTo("/tmp/events.log"))
+			gomega.Expect(config.Engine.EventsAuditContainerCreate).To(gomega.BeTrue())
 			path, err := config.ImageCopyTmpDir()
 			gomega.Expect(err).To(gomega.BeNil())
 			gomega.Expect(path).To(gomega.BeEquivalentTo("/tmp/foobar"))

diff --git a/pkg/config/containers.conf b/pkg/config/containers.conf
@@ -409,6 +409,10 @@ default_sysctls = [
 #
 #events_logger = "journald"
 
+# Creates an additional audit event when creating a container.  The event
+# includes a JSON payload with detailed information about the container.
+#events_audit_container_create = true
+
 # A is a list of directories which are used to search for helper binaries.
 #
 #helper_binaries_dir = [

diff --git a/pkg/config/testdata/containers_override.conf b/pkg/config/testdata/containers_override.conf
@@ -11,6 +11,7 @@ image_default_format="v2s2"
 image_copy_tmp_dir="/tmp/foobar"
 events_logfile_path = "/tmp/events.log"
 events_logfile_max_size="500"
+events_audit_container_create = true
 pod_exit_policy="stop"
 
 [engine.platform_to_oci_runtime]