Securing Your Docker Environment with Auditd: A Step-by-Step Guide

uriByuri

Securing your Docker environment is crucial for keeping your applications and data safe. Docker provides several built-in security features, but you can also use Linux’s auditd to monitor Docker and detect any suspicious activity. In this blog post, we’ll show you how to set up auditd to monitor Docker and provide an example of audit rules for Docker.

What is auditd?

auditd is a Linux daemon that provides a way to monitor and record security-relevant system events. It uses a set of rules to determine which events to monitor and record. These rules are defined in the audit.rules file, located in /etc/audit/.

Why monitor Docker with auditd?

Docker is a complex system with many components, and it can be challenging to secure it properly. auditd can help you monitor Docker and detect any suspicious activity, such as unauthorized access, image or container changes, or network activity.

By monitoring Docker with auditd, you can:

  • Identify and troubleshoot security issues
  • Detect unauthorized access or activity
  • Monitor configuration changes
  • Monitor container and image activity

Setting up auditd for Docker

To set up auditd for Docker, you need to create a new set of audit rules in /etc/audit/audit.rules or add the rules to the end of the existing file. You can create rules that monitor Docker’s binary files, data directory, configuration directory, systemd unit files, default configuration file, daemon configuration file, containerd binary file, and runc binary file.

Here’s an example of an audit ruleset for Docker:

# Monitor Docker binary files
-w /usr/bin/docker -p rwxa -k docker

# Monitor Docker data directory
-w /var/lib/docker -p rwxa -k docker

# Monitor Docker configuration directory
-w /etc/docker -p rwxa -k docker

# Monitor Docker systemd unit files
-w /lib/systemd/system/docker.service -p rwxa -k docker
-w /lib/systemd/system/docker.socket -p rwxa -k docker

# Monitor Docker default configuration file
-w /etc/default/docker -p rwxa -k docker

# Monitor Docker daemon configuration file
-w /etc/docker/daemon.json -p rwxa -k docker

# Monitor Docker containerd binary file
-w /usr/bin/docker-containerd -p rwxa -k docker

# Monitor Docker runc binary file
-w /usr/bin/docker-runc -p rwxa -k docker

In this example, we’re monitoring Docker’s binary files, data directory, configuration directory, systemd unit files, default configuration file, daemon configuration file, containerd binary file, and runc binary file for any access, write, execute, or attribute changes. The audit logs will be associated with the key ‘docker’.

After adding the rules, you need to restart the auditd service to apply the changes:

sudo systemctl restart auditd

Now, auditd is configured to monitor Docker and will log any events that match the rules.

Viewing audit logs

To view audit logs, you can use the ausearch command. Here are some examples:

  • View all audit logs for Docker: sudo ausearch -k docker
  • View audit logs for a specific file: sudo ausearch -f /usr/bin/docker -i
  • View audit logs for a specific user: sudo ausearch -ua root

You can also use ausearch with different filters to search for specific events or time ranges.

Conclusion

Monitoring Docker with auditd is an important step in securing your Docker environment. By setting up audit rules for Docker, you can monitor access to Docker’s binary files, data directory, configuration directory, systemd unit files, default configuration file, daemon configuration file, containerd binary file, and runc binary file, and detect any suspicious activity.

Remember that auditd is just one tool in your security toolbox. It’s important to use a combination of security measures, such as strong passwords, network segmentation, and regular software updates, to protect your Docker environment.