Auditing Docker Containers in a DevOps Environment

Docker Audit

If You Strike Me Down Now

A plethora of auditd options are available, and I’ve only looked at catching one binary so far; however, the sheer number of other rules (watch rules, control rules, and syscall rules) are a little mind-blowing. Ultimately, this is what makes auditd so powerful: its ability to capture anything and everything going on within your systems. The following are samples from the bottom of the auditctl man page (note the -a for the syscall rules)

To watch a file for changes (two ways):

   auditctl -w /etc/shadow -p wa
   auditctl -a always,exit -F path=/etc/shadow -F perm=wa

To watch a directory recursively for changes (two ways):

auditctl -w /etc/ -p wa
   auditctl -a always,exit -F dir=/etc/ -F perm=wa

To see if an admin is accessing other users’ files:

   auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid

I’d suggest using your favorite online hunter-gatherer engine for more information and example rules.

If you’re interested in threat modeling, then the powerful auditd also provides a tool called autrace , which you can point at specific binaries and glean a whole host (pun intended) of useful logging data. A simple example command is:

$ autrace /bin/ls

Again, the manual offers much more detail, so look there if you’re interested.

This Is the End

As you can tell, I have barely scratched the surface of the venerable auditd package. You can switch on user and group changes (e.g., the creation of new users or their group membership), and you can catch filesystem access from a particular application, yet ignore other events entirely.

With some forethought, a pinch of trial and error, and a teaspoon of patience, you can help mitigate the immediate confusion of how an attacker has breached a system if such an incident ever occurs. If you have set up the package correctly and monitored the affected system events, then auditd will be a true lifesaver in such a scenario: I expect my containers to benefit dramatically as a result.

Chris Binnie’s latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevOps, DevSecOps, c ontainers ,  and Linux security on his website  at  http://www.containersecurity.net .

Special Thanks: This article was made possible by support from Linux Professional Institute

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.