Docker daemon activities should be audited








Set up the docker integration.


Audit all Docker daemon activities.


As well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.


Verify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run:

auditctl -l | grep /usr/bin/dockerd


You should add rules for the Docker daemon. For example, add the following line to the /etc/audit/audit.rules file:

-w /usr/bin/dockerd -k docker 

Then restart the audit daemon using the following command:

service auditd restart


Auditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.

Default value

By default, the Docker daemon is not audited.



CIS controls

Version 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.

Version 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.

Version 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.