文档

Enabling Docker Audit

Audit Content

  • The Docker daemon runs on the host as the root user. You can configure an audit mechanism on the host to audit the running and usage status of the Docker daemon. Once the Docker daemon encounters unauthorized attacks, the root cause of the attack event can be traced. For details about how to enable the audit function, see Enabling Docker Audit.
  • The following directories store important container information. You are advised to configure the audit function for the following directories and key files.
    • /usr/bin/dockerd
    • /var/lib/docker
    • /etc/docker
    • /etc/default/docker
    • /etc/sysconfig/docker
    • /etc/docker/daemon.json
    • /usr/bin/docker-containerd
    • /usr/bin/containerd
    • /usr/bin/docker-runc
    • docker.service
    • docker.socket

    The preceding directories are the default Docker installation directories. If a separate partition is created for Docker, the paths may change. For details about how to enable the audit function, see Enabling Docker Audit.

Enabling Docker Audit

By default, the audit function is disabled on the host. You can add an audit rule as follows:

To enable the audit mechanism, install the auditd software first. You can run the apt install -y auditd command to install the software in the Ubuntu system.

  1. Add rules to the /etc/audit/audit.rules file. Each rule occupies a line. The rule format is as follows:
    -w file_path -k docker
    Table 1 Parameters

    Parameter

    Description

    -w

    Path of the file to be filtered.

    file_path

    Path of the file for which the audit rule is enabled.

    • If file_path is set to /usr/bin/docker, the host audits the Docker daemon.
    • If file_path is set to /etc/docker, the host audits Docker directories and key files.

    -k

    String filtering based on specified keywords.

    If the /etc/audit/audit.rules file contains This file is automatically generated from /etc/audit/rules.d, the modification to the file is invalid. In this case, you need to modify the /etc/audit/rules.d/audit.rules file for the modification to take effect. For example, in the Ubuntu system, you need to modify the /etc/audit/rules.d/audit.rules file.

  2. After the configuration is complete, restart the log daemon.
    service auditd restart