1.5 Ensure auditing is configured for the docker daemon

Information

Audit all Docker daemon activities.
Rationale:
Apart from auditing your regular Linux file system and system calls, audit Docker daemon as well. Docker daemon runs with root privileges. It is thus necessary to audit its activities and usage.

Solution

Add a rule for Docker daemon.
For example,
Add the line as below line in /etc/audit/audit.rules file:
-w /usr/bin/docker -k docker
Then, restart the audit daemon. For example,
service auditd restart
Impact:
Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also, create a separate partition of audit to avoid filling root file system.
Default Value:
By default, Docker daemon is not audited.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|6.2

Plugin: Unix

Control ID: 0085181f4d23d63e48afa3ba0e071d73e08eee4d1110265b84b8f0b5fd2f9d7e