Ensure Auditing is Configured for Docker Files and Directories

Profile Applicability:

Level 2

Description:

The containerd.sock file is used by Docker and containerd for communication between the Docker daemon and containerd runtime. Auditing this file ensures that any changes or access to this critical communication socket are tracked for security purposes.

Rationale:

As containerd operates with root privileges, auditing its socket file is important to detect any unauthorized or suspicious access to the Docker container runtime. Monitoring this file helps identify potential attacks targeting the container runtime.

Impact:

Pros:

Auditing the containerd.sock file helps track unauthorized access and modifications to Docker's container runtime.
Provides enhanced visibility and control over the Docker container environment, making it easier to detect abnormal activities.

Cons:

Auditing generates log data that could grow quickly, requiring effective management such as log rotation and archiving.
Depending on system load, auditing might add some overhead, so performance considerations are important.

Default Value:

By default, the containerd.sock file is not audited unless explicitly configured.

Pre-requisites:

Administrative privileges on the Docker host system.
Familiarity with auditing configuration and using auditd.

Remediation:

Test Plan:

Using AWS Console:

Log in to the EC2 instance running Docker.
Check for audit rules related to containerd.sock by running:

```
auditctl -l | grep containerd.sock
```

Using AWS CLI:

Connect to the EC2 instance where Docker is running.
Verify if there are audit rules configured for containerd.sock:

```
auditctl -l | grep containerd.sock
```

Implementation Plan:

Using AWS Console:

Log in to the EC2 instance.
Add an audit rule for the containerd.sock file by editing the /etc/audit/rules.d/audit.rules file:

-w /run/containerd/containerd.sock -k docker

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely add the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /run/containerd/containerd.sock -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

Log in to the EC2 instance.
Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:

-w /run/containerd/containerd.sock -k docker

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely remove the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/run\/containerd\/containerd.sock -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

CIS Docker Benchmark v1.7
Containerd Documentation

iCompaas Support

Ensure Auditing is Configured for Docker Files and Directories - containerd.sock Print

Ensure Auditing is Configured for Docker Files and Directories - containerd.sock Print

Related Articles