1.8 Audit Docker files and directories - docker.service

Information

Audit docker.service,if applicable.

Rationale:

Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with 'root' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator.It holds various parameters for Docker daemon. It must be audited, if applicable.

Solution

If the file exists, add a rule for it.

For example,

Add the line as below in /etc/audit/audit.rules file:

-w /usr/lib/systemd/system/docker.service -k docker

Then, restart the audit daemon. For example,

service auditd restart

Impact:

Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also, create a separate partition of audit to avoid filling root file system.

Default Value:

By default, Docker related files and directories arenot audited.The file docker.service may not be available on the system.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 874551f66e4284c03b629539a2ad98c863cbbd8a3f08ebd9d790c89503fb9190