« Previous 1 2 3 4
Auditing Docker Containers in a DevOps Environment
Docker Audit
If You Strike Me Down Now
A plethora of auditd options are available, and I’ve only looked at catching one binary so far; however, the sheer number of other rules (watch rules, control rules, and syscall rules) are a little mind-blowing. Ultimately, this is what makes auditd so powerful: its ability to capture anything and everything going on within your systems. The following are samples from the bottom of the auditctl man page (note the -a for the syscall rules)
To watch a file for changes (two ways):
auditctl -w /etc/shadow -p wa auditctl -a always,exit -F path=/etc/shadow -F perm=wa
To watch a directory recursively for changes (two ways):
auditctl -w /etc/ -p wa auditctl -a always,exit -F dir=/etc/ -F perm=wa
To see if an admin is accessing other users’ files:
auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
I’d suggest using your favorite online hunter-gatherer engine for more information and example rules.
If you’re interested in threat modeling, then the powerful auditd also provides a tool called autrace , which you can point at specific binaries and glean a whole host (pun intended) of useful logging data. A simple example command is:
$ autrace /bin/ls
Again, the manual offers much more detail, so look there if you’re interested.
This Is the End
As you can tell, I have barely scratched the surface of the venerable auditd package. You can switch on user and group changes (e.g., the creation of new users or their group membership), and you can catch filesystem access from a particular application, yet ignore other events entirely.
With some forethought, a pinch of trial and error, and a teaspoon of patience, you can help mitigate the immediate confusion of how an attacker has breached a system if such an incident ever occurs. If you have set up the package correctly and monitored the affected system events, then auditd will be a true lifesaver in such a scenario: I expect my containers to benefit dramatically as a result.
Chris Binnie’s latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevOps, DevSecOps, c ontainers , and Linux security on his website at http://www.containersecurity.net .
Special Thanks: This article was made possible by support from Linux Professional Institute
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Investigating container security with auditd
The handy auditd package can help track down weaknesses in your system before, during, or after an attack. -
Monitoring events with the Audit daemon
Use this powerful audit framework to log events on your Linux system. -
Managing containers with Podman
The Podman container management tool does not use a daemon in the background, like its counterpart Docker, and can operate in non-privileged mode. -
Linux nftables packet filter
The latest nftables packet filter implementation, now available in the Linux kernel, promises better performance and simpler syntax and operation.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
