Profile Applicability:

  • Level 2

Description:

The /etc/docker/daemon.json file contains configuration settings for the Docker daemon. Auditing this file ensures that any unauthorized modifications to Docker's core configuration can be detected.

Rationale:

The Docker daemon operates with root privileges, and its behavior is controlled by configuration files like /etc/docker/daemon.json. Auditing this file helps in detecting malicious or unauthorized changes to Docker's configuration, which could compromise system security.

Impact:

Pros:

  • Enhances security by providing visibility into changes made to Docker's configuration.

  • Helps detect unauthorized modifications that could alter Docker's behavior, leading to potential vulnerabilities.

Cons:

  • Auditing can result in large log files, requiring effective log management practices like rotation and archiving.

  • A dedicated partition for audit logs might be necessary to avoid filling up critical system storage.

Default Value:

By default, Docker-related files such as /etc/docker/daemon.json are not audited.

Pre-requisites:

  • Administrative access to the Docker host system.

  • Basic understanding of auditd and system file auditing configuration.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Execute the following command to verify if an audit rule is configured for the /etc/docker/daemon.json file:
  • auditctl -l | grep /etc/docker/daemon.json


Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to check if there is an audit rule associated with the /etc/docker/daemon.json file:
  • auditctl -l | grep /etc/docker/daemon.json

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for /etc/docker/daemon.json by editing the /etc/audit/rules.d/audit.rules file:
  • -w /etc/docker/daemon.json -k docker

      3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /etc/docker/daemon.json -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
  • -w /etc/docker/daemon.json -k docker

      3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/etc\/docker\/daemon.json -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: