Detections
Analytics

1.9 Audit Docker files and directories - /etc/docker

Information

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

Solution

Add a rule for/etc/docker directory.

For example,
Add the line as below in /etc/audit/audit.rules file-
-w /etc/docker -k docker
Then, restart the audit daemon. For example,
service auditd restartImpact-
Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also, create a separate partition of audit to avoid filling root file system.
Default Value-
By default, Docker related files and directories are not audited.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: f4ac2abaa5b5d39b9ae8b9c3a9a155ef040b83f0d468c69361b6b854dddd1599