Ensure auditing is configured for Docker files and directories

Profile Applicability:

Level 2

Description:

The /usr/bin/runc binary is the container runtime used by Docker to create and manage containers. Auditing this file ensures that any unauthorized changes or access to the container runtime are detected.

Rationale:

Docker relies on runc to manage containers, and runc operates with elevated privileges. Unauthorized access or changes to runc could compromise the integrity of the container environment and expose the system to security risks.

Impact:

Pros:

Provides visibility into unauthorized access or changes to the container runtime, helping to detect and mitigate potential security issues.
Enhances the ability to perform forensic analysis in the event of a security breach.

Cons:

Auditing generates log data that could be large, requiring proper management such as log rotation and archiving.
A dedicated partition for storing audit logs may be necessary to avoid filling up critical system storage.

Default Value:

By default, Docker-related files like /usr/bin/runc are not audited.

Pre-requisites:

Administrative access to the Docker host system.
Familiarity with auditd and configuring audit rules for system files.

Remediation:

Test Plan:

Using AWS Console:

Log in to the EC2 instance running Docker.
Run the following command to verify if there is an audit rule for /usr/bin/runc:

```
auditctl -l | grep /usr/bin/runc
```

Using AWS CLI:

Connect to the EC2 instance where Docker is running.
Run the following command to verify if there is an audit rule for /usr/bin/runc:

```
auditctl -l | grep /usr/bin/runc
```

Implementation Plan:

Using AWS Console:

Log in to the EC2 instance.
Add an audit rule for /usr/bin/runc by editing the /etc/audit/rules.d/audit.rules file:

```
-w /usr/bin/runc -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely add the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/bin/runc -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

Log in to the EC2 instance.
Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:

```
-w /usr/bin/runc -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely remove the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/bin\/runc -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

CIS Docker Benchmark v1.7
Docker Runc Documentation

iCompaas Support

Ensure auditing is configured for Docker files and directories - /usr/bin/runc Print

Ensure auditing is configured for Docker files and directories - /usr/bin/runc Print

Related Articles