Ensure Auditing is Configured for Docker Files and Directories

Profile Applicability:

Level 2

Description:

The docker.sock file is a Unix domain socket used by the Docker daemon for communication with the Docker client. Auditing this file ensures that unauthorized access or modifications to this communication socket are detected.

Rationale:

The Docker daemon runs with root privileges, and any untrusted users with access to docker.sock can control Docker containers. By auditing this file, we can detect any unauthorized attempts to access or modify the Docker daemon’s communication channel.

Impact:

Pros:

Enhances security by monitoring the access and use of Docker's root-privileged communication socket.
Provides critical insight into unauthorized or malicious activity aimed at exploiting Docker.

Cons:

Can generate a large volume of audit logs, which may require management (log rotation and archiving).
May require setting up a separate partition for audit logs to avoid filling up critical system storage.

Default Value:

By default, Docker-related files like docker.sock are not audited unless explicitly configured.

Pre-requisites:

Administrative access to the Docker host system.
Familiarity with the configuration of auditd and audit rules.

Remediation:

Test Plan:

Using AWS Console:

Log in to the EC2 instance running Docker.
Run the following command to check if there is an audit rule for docker.sock:

```
auditctl -l | grep docker.sock
```

Using AWS CLI:

Connect to the EC2 instance where Docker is running.
Run the following command to verify if an audit rule exists for docker.sock:

```
auditctl -l | grep docker.sock
```

Implementation Plan:

Using AWS Console:

Log in to the EC2 instance.
Add an audit rule for docker.sock by editing the /etc/audit/rules.d/audit.rules file:

```
-w /var/run/docker.sock -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely add the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /var/run/docker.sock -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

Log in to the EC2 instance.
Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:

```
-w /var/run/docker.sock -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely remove the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/var\/run\/docker.sock -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

CIS Docker Benchmark v1.7
Docker Security Documentation

iCompaas Support

Ensure Auditing is Configured for Docker Files and Directories - docker.sock Print

Ensure Auditing is Configured for Docker Files and Directories - docker.sock Print

Related Articles