Centralized and remote logging is configured
Set up the docker integration.
Description
Docker supports various logging mechanisms. A preferable method for storing logs is one that supports centralized and remote management.
Rationale
Centralized and remote logging ensures that all important log records are safe even in the event of a major data availability issue. Docker supports various logging methods and you should use the one that best corresponds to your IT security policy.
Audit
Review the Logging Driver property setting by running:
docker info --format '{{ .LoggingDriver }}'
Alternatively, run:
Review the --log-driver setting.
Also review the /etc/docker/daemon.json for the log-driver setting.
- Set up the desired log driver following its documentation.
- Start the docker daemon using that logging driver. For example:
dockerd --log-driver=syslog --log-opt syslog-address=tcp://192.xxx.xxx.xxx
Impact
None.
Default value
By default, container logs are maintained as JSONS files.
References
- https://docs.docker.com/engine/admin/logging/overview/
CIS controls
Version 6
6.6 Deploy A SIEM OR Log Analysis Tools For Aggregation And Correlation/Analysis - Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.
6.8 Regularly Tune SIEM On a regular basis - Tune your SIEM system to better identify actionable events and decrease event noise.
