cyber-security-resources/docker-and-k8s-security/docker/audit-docker.md
2023-05-19 13:17:18 -04:00

5.6 KiB

Audit Rules in Docker

In Docker, audit rules are used to monitor and log various activities within the Docker environment. They provide a way to track and record important events related to containers, images, networks, and other Docker components. By setting up audit rules, you can gain visibility into the actions and operations performed within the Docker ecosystem.

Audit rules are typically configured using the Docker daemon's audit log feature, which utilizes the Linux audit framework. The audit framework allows you to define specific conditions or events to be monitored and logged.

Here are some common use cases and benefits of using audit rules in Docker:

  1. Security Monitoring: Audit rules help in detecting and investigating potential security breaches or suspicious activities within the Docker environment. By monitoring specific events such as container creations, image pulls, network connections, or file access, you can identify unauthorized or malicious activities.

  2. Compliance and Governance: Audit rules assist in meeting compliance requirements and maintaining proper governance. They help demonstrate that security policies, access controls, and operational procedures are being followed. Audit logs can be useful for audits, incident response, and forensic investigations.

  3. Troubleshooting and Diagnostics: Audit logs provide valuable insights when troubleshooting issues within the Docker environment. By capturing events related to container start/stop, network connectivity, or resource usage, you can identify problematic areas and diagnose the root cause of problems.

  4. Operational Insights: Audit rules offer visibility into various operational aspects of Docker, such as user actions, changes to configurations, or resource allocations. This information can be leveraged for capacity planning, resource optimization, and overall operational improvements.

When setting up audit rules in Docker, you can define specific events to be logged based on criteria such as user identities, object types (containers, images), operations (create, start, stop), and other attributes. The rules can be configured using the audit.json file, which specifies the events and conditions to monitor.

Make sure to have a balance between the level of detail in audit logging and the impact on system performance and log storage. You should carefully select the events to monitor based on your specific needs and operational requirements.

Example

  1. Enable Audit Logging:

    • Open the Docker daemon configuration file, typically located at /etc/docker/daemon.json.
    • Add the following configuration to enable audit logging:
      {
        "log-driver": "json-file",
        "log-opts": {
          "max-size": "10m",
          "max-file": "3",
          "labels": "audit=true"
        }
      }
      
    • Save the configuration file and restart the Docker daemon to apply the changes.
  2. Define Audit Rules:

    • Create an audit rules file, such as audit.rules, to specify the events and conditions to monitor.
    • Open the file and define the rules using the audit rule syntax. For example:
      -w /usr/bin/docker -p wa
      -w /var/lib/docker -k docker
      
      In this example, the first rule monitors the Docker binary file (/usr/bin/docker) for any write or attribute changes. The second rule monitors the Docker data directory (/var/lib/docker) and associates the events with a specific audit key (docker).
    • Save the audit rules file.
  3. Load Audit Rules:

    • Load the audit rules into the kernel by running the following command:
      sudo auditctl -R /path/to/audit.rules
      
  4. Monitor Audit Logs:

    • To view the Docker audit logs, you can use the auditd tool or other log monitoring utilities. For example, to monitor in real-time, run:
      sudo tail -f /var/log/audit/audit.log | grep docker
      
    • This command will display the audit log entries related to Docker, filtered using grep in this example.

By following these steps, you can enable audit logging in Docker, define custom audit rules, load them into the kernel, and monitor the audit logs for Docker-related events.

The audit log format may vary depending on the configuration and audit rule syntax. You may need to adjust the log monitoring approach based on your specific environment and log configuration.

Additional References

Remember to consult the Docker documentation and audit framework documentation for more details on configuring and managing audit logging in Docker.

  1. Docker Documentation:

    • Docker Documentation: The official documentation for Docker, providing comprehensive guides, tutorials, and references for various Docker features and functionalities.
  2. Audit Framework Documentation:

    • Linux Audit Documentation: The official documentation for the Linux Audit Framework, which provides detailed information about configuring and using the audit system in Linux.

    • auditd Man Page: The manual page for the auditd daemon, which provides an overview of its configuration options and usage.

    • auditctl Man Page: The manual page for the auditctl command, which is used to configure audit rules and manage the kernel's audit subsystem.

These resources will provide you with detailed information, guides, and references for Docker and the Linux Audit Framework. They cover various aspects, including Docker features, configuration, security, and auditing.