Profile Applicability:

  • Level 2

Description:

The docker.service file is essential for Docker daemon configuration, particularly when daemon parameters have been modified by an administrator. Auditing this file ensures that any changes made to the Docker daemon configuration can be tracked.

Rationale:

The Docker daemon runs with root privileges and depends on various files and directories, including docker.service. This file may contain important configuration settings for Docker, and its auditing helps detect unauthorized modifications or misconfigurations.

Impact:

Pros:

  • Provides visibility into any changes made to the Docker service configuration.

  • Enhances security by ensuring that modifications to critical Docker daemon files are monitored.

Cons:

  • Auditing can generate large log files, so proper log management, such as rotation and archiving, is required.

  • A separate partition for audit logs may be needed to avoid filling up critical system partitions.

Default Value:

By default, Docker-related files, including docker.service, are not audited. The file may not be present on some systems if the Docker service configuration has not been altered.

Pre-requisites:

  • Administrative access to the Docker host system.

  • Familiarity with configuring audit rules and system calls for auditd.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Run the following command to locate the docker.service file:
  • systemctl show -p FragmentPath docker.service

       3. If the file exists, verify that an audit rule has been applied by running:

  • auditctl -l | grep docker.service

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to locate the docker.service file:
  • systemctl show -p FragmentPath docker.service

       3. Check the audit rules for the file:

  • auditctl -l | grep docker.service


Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for the docker.service file by editing the /etc/audit/rules.d/audit.rules file:
  • -w /usr/lib/systemd/system/docker.service -k docker

    3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/lib/systemd/system/docker.service -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
  • -w /usr/lib/systemd/system/docker.service -k docker

       3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/lib\/systemd\/system\/docker.service -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: