Profile Applicability:

  • Level 2

Description:

The /etc/sysconfig/docker file contains various parameters that are essential for configuring the Docker daemon, specifically when running Docker on CentOS or RHEL-based systems. Auditing this file ensures that any unauthorized modifications to Docker's behavior are detected.

Rationale:

As the Docker daemon runs with root privileges, it is essential to monitor and audit the configuration files, especially those related to critical Docker daemon settings like /etc/sysconfig/docker. Unauthorized changes could compromise the system's security and functionality, making auditing this file crucial.

Impact:

Pros:

  • Auditing provides visibility into changes made to critical Docker configuration files.

  • Helps detect unauthorized access or modification of configuration settings.

Cons:

  • Auditing may generate large log files, which need to be managed with log rotation and archiving.

  • Audit logs may require dedicated storage to avoid consuming critical system partitions.

Default Value:

By default, the /etc/sysconfig/docker file is not audited.

Pre-requisites:

  • Administrative access to the Docker host system.

  • Familiarity with configuring audit rules and using auditd for system monitoring.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Execute the following command to check if there is an audit rule applied to /etc/sysconfig/docker:
  • auditctl -l | grep /etc/sysconfig/docker

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to verify if the audit rule exists for /etc/sysconfig/docker:
  • auditctl -l | grep /etc/sysconfig/docker

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for /etc/sysconfig/docker by editing the /etc/audit/rules.d/audit.rules file:
  • -w /etc/sysconfig/docker -k docker

     3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /etc/sysconfig/docker -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
  • -w /etc/sysconfig/docker -k docker

      3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/etc\/sysconfig\/docker -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: