Information
Audit /usr/lib/systemd/system/docker.service, if applicable.
Apart from auditing your regular Linux file system and system calls, audit all Docker
related files and directories. Docker daemon runs with 'root' privileges. Its behavior
depends on some key files and directories. /usr/lib/systemd/system/docker.service is
one such file. It holds various parameters for Docker daemon. It must be audited, if
applicable.
Solution
Add a rule for /usr/lib/systemd/system/docker.service file.For example,Add the line as below in /etc/audit/audit.rules file--w /usr/lib/systemd/system/docker.service -k dockerThen, restart the audit daemon. For example,#> service auditd restartImpact-Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also,
create a separate partition of audit to avoid filling root file system.
Default Value-By default, Docker related files and directories are not audited. The file
/usr/lib/systemd/system/docker.service may not be available on the system. In that
case, this recommendation is not applicable.