Ensure Auditing is Configured for Docker Files and Directories

Profile Applicability:

Level 2

Description:

The /etc/default/docker file contains important configuration parameters related to the Docker daemon, such as settings for default Docker behaviors. Auditing this file ensures that any unauthorized modifications to the Docker daemon's configuration are detected.

Rationale:

As the Docker daemon runs with root privileges, it is critical to audit configuration files that directly influence the daemon’s behavior. Unauthorized access or changes to /etc/default/docker could lead to security risks, including altering Docker's operational parameters.

Impact:

Pros:

Auditing provides visibility into unauthorized modifications, which helps in tracking and mitigating potential security breaches.
Ensures the integrity of the Docker configuration and its operational settings.

Cons:

Auditing can generate large log files, requiring proper management (rotation and archiving).
May require separate storage for audit logs to avoid consuming space on critical system partitions.

Default Value:

By default, Docker-related files like /etc/default/docker are not audited.

Pre-requisites:

Administrative access to the Docker host system.
Understanding of auditd and configuration management for Docker

Remediation:

Test Plan:

Using AWS Console:

Log in to the EC2 instance running Docker.
Run the following command to verify that the /etc/default/docker file has an audit rule:

```
auditctl -l | grep /etc/default/docker
```

Using AWS CLI:

Connect to the EC2 instance.
Run the following command to check for the audit rule on the /etc/default/docker file:

auditctl -l | grep /etc/default/docker

Implementation Plan:

Using AWS Console:

Log in to the EC2 instance.
Add an audit rule for the /etc/default/docker file by editing the /etc/audit/rules.d/audit.rules file:

```
-w /etc/default/docker -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely add the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /etc/default/docker -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

Log in to the EC2 instance.
Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:

```
-w /etc/default/docker -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely remove the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/etc\/default\/docker -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

CIS Docker Benchmark v1.7
Red Hat Auditing Documentation

iCompaas Support

Ensure Auditing is Configured for Docker Files and Directories - /etc/default/docker Print

Ensure Auditing is Configured for Docker Files and Directories - /etc/default/docker Print

Related Articles