Investigating container security with auditd

Container Check

This Is the End

As you can tell, I have barely scratched the surface of the venerable auditd package. You can switch on user and group changes (e.g., the creation of new users or their group membership), and you can catch filesystem access from a particular application, yet ignore other events entirely.

With some forethought, a pinch of trial and error, and a teaspoon of patience, you can help mitigate the immediate confusion of how an attacker has breached a system if such an incident ever occurs. If you have set up the package correctly and monitored the affected system events, then auditd will be a true lifesaver in such a scenario: I expect my containers to benefit dramatically as a result.

Infos

  1. "Troubleshooting Kubernetes and Docker with a SuperContainer," by Chris Binnie, ADMIN, issue 40, 2017, pp. 26-29, http://www.admin-magazine.com/Archive/2017/40/Troubleshooting-Kubernetes-and-Docker-with-a-SuperContainer/(language)/eng-US

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend , shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevOps, DevSecOps, containers, and Linux security on his website at http://www.containersecurity.net.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus