Detections
Analytics

1.16 Audit Docker files and directories - /etc/sysconfig/docker-registry

Information

Audit /etc/sysconfig/docker-registry, if applicable.

Apart from auditing your regular Linux file system and system calls, audit all Docker
related files and directories. Docker daemon runs with 'root' privileges. Its behavior
depends on some key files and directories. /etc/sysconfig/docker-registry is one such
file. It holds various parameters for Docker registry options. It must be audited, if
applicable.

Solution

Add a rule for /etc/sysconfig/docker-registry file.For example,Add the line as below in /etc/audit/audit.rules file

 --w /etc/sysconfig/docker-registry -k docker

 Then, restart the audit daemon. For example,

 #> service auditd restart
Impact-Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also,
create a separate partition of audit to avoid filling root file system.

Default Value-By default, Docker related files and directories are not audited. The file
/etc/sysconfig/docker-registry may not be available on the system. In that case, this
recommendation is not applicable.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 6a0631364d9afbaebf020632718c0db2243cc96502f4ef46636240126b6efe05