Ensure Auditing is Configured for Docker Files and Directories

Profile Applicability:

Level 1

Description:

The /run/containerd directory holds all the information related to containers managed by containerd. It is important to audit this directory to track any potential malicious actions or unauthorized access to the data.

Rationale:

The Docker daemon operates with root privileges, and its behavior depends on several key files and directories. The /run/containerd directory is crucial as it holds information about running containers. Auditing this directory ensures that any unauthorized access or changes can be detected early.

Impact:

Pros:

Auditing the /run/containerd directory enhances security by providing visibility into potential malicious activity or unauthorized changes.
Supports forensic analysis in the event of a security breach.

Cons:

Auditing generates large log files, which may require periodic log rotation and archiving to avoid consuming storage space.
May require additional configuration to prevent the audit logs from filling up critical partitions.

Default Value:

By default, Docker-related files and directories are not audited.

Pre-requisites:

Access to the Docker host system with administrative privileges.
Understanding of the audit rule configuration and system calls for auditd.

Remediation:

Test Plan:

Using AWS Console:

Log in to the EC2 instance running Docker.
Execute the following command to verify if there is an audit rule for the /run/containerd directory:

auditctl -l | grep /run/containerd

Using AWS CLI:

Connect to the EC2 instance where Docker is running.
Run the following command to check if there are any audit rules configured for the /run/containerd directory:

auditctl -l | grep /run/containerd

Implementation Plan:

Using AWS Console:

Log in to the EC2 instance.
Add an audit rule for the /run/containerd directory by editing the /etc/audit/rules.d/audit.rules file:
```
-a exit,always -F path=/run/containerd -F perm=war -k docker
```
Restart the audit daemon to apply the changes:

Using AWS CLI:

Use SSM to remotely add the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-a exit,always -F path=/run/containerd -F perm=war -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

Log in to the EC2 instance.
Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
-a exit,always -F path=/run/containerd -F perm=war -k docker
Restart the audit daemon to apply the changes:
sudo systemctl restart auditd

Using AWS CLI:

Use SSM to remotely remove the audit rule and restart the audit daemon:aws ssm send-command --document-name

"AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-a exit,always -F path=\/run\/containerd -F perm=war -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

CIS Docker Benchmark v1.7
Red Hat Documentation on Auditing

iCompaas Support

Ensure Auditing is Configured for Docker Files and Directories - /run/containerd Print

Ensure Auditing is Configured for Docker Files and Directories - /run/containerd Print

Related Articles