1.13 Audit Docker files and directories - /var/run/docker.sock


Audit /var/run/docker.sock.

Apart from auditing your regular Linux file system and system calls, audit all Docker
related files and directories. Docker daemon runs with 'root' privileges. Its behavior
depends on some key files and directories. /var/run/docker.sock is one such file. It is the
default Docker Unix socket. The 'root' and members of 'docker' group interact with it for
carrying out various Docker related activities. It must be audited.


Add a rule for /var/run/docker.sock file.

For example,Add the line as below in /etc/audit/audit.rules file

--w /var/run/docker.sock -k docker

Then, restart the audit daemon. For example,

#> service auditd restart

Impact-Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also,
create a separate partition of audit to avoid filling root file system.

Default Value-By default, Docker related files and directories are not audited.

See Also


Item Details


References: 800-53|AU-12c.

Plugin: Unix

Control ID: 342f25a4fe254a50649e1130eee9ce5546b2a04de44402b1e057415758c5bb92