1.14 Audit Docker files and directories - /etc/sysconfig/docker

Information

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

Solution

Add a rule for /etc/sysconfig/docker file.

For example,Add the line as below in /etc/audit/audit.rules file

--w /etc/sysconfig/docker -k docker

Then, restart the audit daemon. For example,

#> service auditd restart

Impact-Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also,
create a separate partition of audit to avoid filling root file system.

Default Value-By default, Docker related files and directories are not audited. The file
/etc/sysconfig/docker may not be available on the system. In that case, this
recommendation is not applicable.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: de6978ae2810b814779a36cfe4e139bb94c7f81a80eb574b1084ed6b654d5bf0