InformationAudit /etc/default/docker, if applicable.
Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with root privileges. Its behavior depends on some key files and directories. /etc/default/docker is one such file. It holds various parameters for Docker daemon. It must be audited, if applicable.
SolutionAdd a rule for /etc/default/docker file.
Add the line as below in /etc/audit/audit.rules file:
-w /etc/default/docker -k docker
Then, restart the audit daemon. For example,
service auditd restart
Auditing generates quite big log files. Ensure to rotate and archive them periodically. Also, create a separate partition of audit to avoid filling root file system.
By default, Docker related files and directories are not audited. The file /etc/default/docker may not be available on the system. In that case, this recommendation is not applicable.