Audit sudo docker usage

tl;dr

grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)"
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'

Explanation

One way to secure docker is to allow users to run it with sudo. Alternatively, you can add users to a group named “docker,” but this doesn’t provide the auditing that sudo has by default.

So you can whip up a nice, neat little sudoers.d file similar to:

User_Alias CONT_POC_USERS = %container_sudoers@ADDOMAIN
Runas_Alias CONT_POC_RUNAS = root
Host_Alias CONT_POC_HOSTS = cn-node-5*, cn-node-5*.example.com
Cmnd_Alias CONT_POC_CMNDS = /usr/bin/docker *
CONT_POC_USERS CONT_POC_HOSTS=(CONT_POC_RUNAS) CONT_POC_CMNDS

With a security posture where you will not allow anything to run in a container as root, you can audit compliance with a few regular expressions.

grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -vE -- "(-u|--user)"
grep -E "sudo:.*docker.*exec.*" /var/log/secure | grep -E -- '(-u|--user)\s*root'

I haven’t figured out how to have the negative and positive searches in one string, so any input there would be appreciated!

Also, I have not figured out how to actually enforce running the docker exec command only with a -u username flag, without writing a much more complicated whitelist of docker build *, docker commit *, docker container *, docker cp * et al statements which seems like a lot of work but might ultimately be necessary.

Advertisements

Docker cannot write to mounted volume

So you’ve already investigated the permissions, and the selinux context. There are no errors in the audit logs.

And if you’re using a directory like /var/lib/docker/db, it will have context unconfined_u:object_r:container_var_lib_t:s0.

For mounting with -v /var/lib/docker/db/appname:/opt/application/ and it to be readable, you will need a new context.

semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/docker/db(/.*)?'

Installing docker behind a proxy

Installing docker behind a proxy

If you are trying to install docker behind a proxy, you might run into multiple problems.
The first one is getting the gpg key for apt.
From the install instructions for ubuntu, you see the directive to download the apt key. What they don’t tell you on that page is that you need an extra cli option like so:

sudo apt-key adv --keyserver-options http-proxy=http://proxy.example.com:8080/ --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

Pulling images behind a proxy

And then of course since you’re behind that proxy, you might have issues with docker downloading images.
Here are the condensed instructions from the full explanation at the official docker docs.

mkdir /etc/systemd/system/docker.service.d
cat </etc/sytemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/" "NO_PROXY=localhost,127.0.0.1,docker-registry.somecorporation.com"
EOF
systemctl daemon-reload
systemctl restart docker

Reference