1.9 Audit Docker files and directories - /etc/docker

Information

Audit /etc/docker.Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with 'root' privileges. Its behavior depends on some key files and directories. /etc/docker is one such directory. It holds various certificates and keys used for TLS communication between Docker daemon and Docker client. It must be audited.

Solution

Add a rule for/etc/docker directory.

For example,
Add the line as below in /etc/audit/audit.rules file-
-w /etc/docker -k docker
Then, restart the audit daemon. For example,
service auditd restartImpact-
Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also, create a separate partition of audit to avoid filling root file system.
Default Value-
By default, Docker related files and directories are not audited.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 5b9ddf3b72446e634a95fcb7e2e2ce1cfc5364fa0f34e1f47d4ce9020fcacb41