Profile Applicability:

  • Level 1

Description:

The /etc/docker directory contains critical configuration files, including certificates and keys used for TLS communication between the Docker daemon and client. Auditing this directory ensures that any unauthorized access or changes to these sensitive files can be detected.

Rationale:

Since the Docker daemon runs with root privileges, it is important to audit key files, such as those in /etc/docker, to ensure the security of the system. These files are integral to Docker's operation, and unauthorized changes could lead to security vulnerabilities.

Impact:

Pros:

  • Auditing provides visibility into changes made to the configuration and key files, enabling early detection of potential malicious activity.

  • Enhances system security by providing accountability for access to sensitive files.

Cons:

  • Auditing can generate large log files, so proper log management (rotation and archiving) is required to avoid consuming critical storage.

  • A separate partition for storing audit logs may be necessary to prevent filling up important system partitions.

Default Value:

By default, Docker-related files and directories, including /etc/docker, are not audited.

Pre-requisites:

  • Administrative access to the Docker host.

  • Basic knowledge of auditd and how to configure audit rules.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Execute the following command to check if an audit rule is applied to the /etc/docker directory:

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to verify if an audit rule exists for the /etc/docker directory:
auditctl -l | grep /etc/docker


Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add the audit rule for the /etc/docker directory by editing the /etc/audit/rules.d/audit.rules file:
    -w /etc/docker -k docker
  3. Restart the audit daemon to apply the changes:
    sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /etc/docker -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
    -w /etc/docker -k docker
  3. Restart the audit daemon to apply the changes:

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/etc\/docker -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: