« Previous 1 2 3 4
Auditing Docker Containers in a DevOps Environment
Docker Audit
If You Strike Me Down Now
A plethora of auditd options are available, and I’ve only looked at catching one binary so far; however, the sheer number of other rules (watch rules, control rules, and syscall rules) are a little mind-blowing. Ultimately, this is what makes auditd so powerful: its ability to capture anything and everything going on within your systems. The following are samples from the bottom of the auditctl man page (note the -a for the syscall rules)
To watch a file for changes (two ways):
auditctl -w /etc/shadow -p wa auditctl -a always,exit -F path=/etc/shadow -F perm=wa
To watch a directory recursively for changes (two ways):
auditctl -w /etc/ -p wa auditctl -a always,exit -F dir=/etc/ -F perm=wa
To see if an admin is accessing other users’ files:
auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
I’d suggest using your favorite online hunter-gatherer engine for more information and example rules.
If you’re interested in threat modeling, then the powerful auditd also provides a tool called autrace , which you can point at specific binaries and glean a whole host (pun intended) of useful logging data. A simple example command is:
$ autrace /bin/ls
Again, the manual offers much more detail, so look there if you’re interested.
This Is the End
As you can tell, I have barely scratched the surface of the venerable auditd package. You can switch on user and group changes (e.g., the creation of new users or their group membership), and you can catch filesystem access from a particular application, yet ignore other events entirely.
With some forethought, a pinch of trial and error, and a teaspoon of patience, you can help mitigate the immediate confusion of how an attacker has breached a system if such an incident ever occurs. If you have set up the package correctly and monitored the affected system events, then auditd will be a true lifesaver in such a scenario: I expect my containers to benefit dramatically as a result.
Chris Binnie’s latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevOps, DevSecOps, c ontainers , and Linux security on his website at http://www.containersecurity.net .
Special Thanks: This article was made possible by support from Linux Professional Institute
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)