Profile Applicability:

  • Level 1 

Description:

Auditing Docker daemon activities is essential as the daemon runs with root privileges. It is important to audit its actions and usage to ensure that any suspicious activities can be detected and investigated.

Rationale:

The Docker daemon operates with root privileges and controls critical aspects of containerized environments. Auditing its operations allows organizations to detect and respond to potential security incidents that could arise from misuse or exploitation of the Docker daemon.

Impact:

Pros:

  • Provides visibility into Docker daemon activities, improving security and incident detection.

  • Helps in forensic investigations by retaining detailed logs of daemon activities.

Cons:

  • Auditing can generate large log files, which may require regular management (rotation, archiving).

  • A separate partition for audit logs might be necessary to avoid filling up other critical partitions.

Default Value:

  • By default, Docker daemon activities are not audited.

Pre-requisites:

  • Access to the Docker host system with administrative privileges.

  • Knowledge of configuring audit rules on the system.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Verify if there are audit rules for the Docker daemon by checking the system’s audit rules:
auditctl -l | grep /usr/bin/dockerd

Using AWS CLI:

  1. Connect to the EC2 instance.
  2. Run the following command to check if the Docker daemon has associated audit rules:
auditctl -l | grep /usr/bin/dockerd


Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for the Docker daemon by editing the /etc/audit/rules.d/audit.rules file:
  3. Restart the audit daemon to apply the changes:

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/bin/dockerd -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
    -w /usr/bin/dockerd -k docker
  3. Restart the audit daemon to apply the changes:
    sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/bin\/dockerd -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: