tl;dr
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)" grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'
Explanation
One way to secure docker is to allow users to run it with sudo. Alternatively, you can add users to a group named “docker,” but this doesn’t provide the auditing that sudo has by default.
So you can whip up a nice, neat little sudoers.d file similar to:
User_Alias CONT_POC_USERS = %container_sudoers@ADDOMAIN Runas_Alias CONT_POC_RUNAS = root Host_Alias CONT_POC_HOSTS = cn-node-5*, cn-node-5*.example.com Cmnd_Alias CONT_POC_CMNDS = /usr/bin/docker * CONT_POC_USERS CONT_POC_HOSTS=(CONT_POC_RUNAS) CONT_POC_CMNDS
With a security posture where you will not allow anything to run in a container as root, you can audit compliance with a few regular expressions.
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)" grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'
I haven’t figured out how to have the negative and positive searches in one string, so any input there would be appreciated!
Also, I have not figured out how to actually enforce running the docker exec command only with a -u username flag, without writing a much more complicated whitelist of docker build *, docker commit *, docker container *, docker cp * et al statements which seems like a lot of work but might ultimately be necessary.