Monitoring Docker events

Docker automates the deployment of different applications inside software containers. The ThreatLockDown module for Docker identifies security incidents across containers and alerts in real-time. In this use case, you configure ThreatLockDown to monitor Docker events on an Ubuntu endpoint hosting Docker containers.

See the Monitoring container activity section of the documentation to learn more about monitoring Docker and the docker-listener module.

Infrastructure

Endpoint

Description

Ubuntu 22.04

This is the Docker host where you create and delete containers.

Configuration

Perform the following steps to install Docker on the Ubuntu endpoint and configure ThreatLockDown to monitor Docker events.

  1. Install Python and pip:

    # sudo apt install python3 python3-pip

  2. Upgrade pip:

    # pip3 install --upgrade pip

  3. Install Docker and Python Docker Library:

    $ curl -sSL https://get.docker.com/ | sh
$ sudo pip3 install docker==4.2.0 urllib3==1.26.18

  4. Edit the ThreatLockDown agent configuration file /var/ossec/etc/ossec.conf and add this block to enable the docker-listener module:

    <ossec_config>
  <wodle name="docker-listener">
    <interval>10m</interval>
    <attempts>5</attempts>
    <run_on_start>yes</run_on_start>
    <disabled>no</disabled>
  </wodle>
</ossec_config>

  5. Restart the ThreatLockDown agent to apply the changes:

    $ sudo systemctl restart wazuh-agent

Test the configuration

Perform several Docker activities like pulling a Docker image, starting an instance, running some other Docker commands, and then deleting the container.

  1. Pull an image, such as the NGINX image, and run a container:

    $ sudo docker pull nginx
$ sudo docker run -d -P --name nginx_container nginx
$ sudo docker exec -it nginx_container cat /etc/passwd
$ sudo docker exec -it nginx_container /bin/bash
$ exit

  2. Stop and remove the container:

    $ sudo docker stop nginx_container
$ sudo docker rm nginx_container

Visualize the alerts

You can visualize the alert data in the ThreatLockDown dashboard. To do this, go to the Threat Hunting module and add the filters in the search bar to query the alerts.

  • rule.groups: "docker"

  • Additionally, using the Filter by type search field, apply the data.docker.Action filter to show what actions were performed.

Troubleshooting

  • Error log:

    wazuh-modulesd:docker-listener: ERROR: /usr/bin/env: ‘python’: No such file or directory

    Location: ThreatLockDown agent log - /var/ossec/logs/ossec.log

    Resolution: You can create a symbolic link to solve this:

    $ sudo ln -s /usr/bin/python3 /usr/bin/python