Profile Applicability:

  • Level 1 

Description:

The /var/lib/docker directory holds all the information related to containers, including images, volumes, and metadata. Auditing this directory is crucial for detecting unauthorized access or changes to critical Docker data.

Rationale:

As Docker runs with root privileges, it is important to audit directories like /var/lib/docker, which contain sensitive container data. Auditing helps to ensure that any unauthorized access, changes, or deletions are detected, allowing for timely response and investigation

Impact:

Pros:

  • Provides visibility into Docker data management and helps detect unauthorized actions or changes.

  • Improves security by enabling detailed tracking of Docker-related activities.

Cons:

  • Auditing may generate large log files that require regular rotation and storage management.

  • A separate partition may be necessary to store audit logs without affecting critical system partitions.

Default Value:

By default, Docker-related files and directories, including /var/lib/docker, are not audited.

Pre-requisites:

  • Administrative access to the host system.

  • Basic knowledge of audit configuration and auditd tools.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Run the following command to check if there is an audit rule for the /var/lib/docker directory:
auditctl -l | grep /var/lib/docker

Using AWS CLI:

  1. Connect to the EC2 instance.
  2. Run the following command to check if there are any audit rules configured for the /var/lib/docker directory:
auditctl -l | grep /var/lib/docker


Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for the /var/lib/docker directory by editing the /etc/audit/rules.d/audit.rules file:
  3. Restart the audit daemon to apply the changes:

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-a exit,always -F path=/var/lib/docker -F perm=war -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
    a exit,always -F path=/var/lib/docker -F perm=war -k docker

  3. Restart the audit daemon to apply the changes:

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-a exit,always -F path=\/var\/lib\/docker -F perm=war -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: