Docker Integration

​

Overview

​

Key Features

• Real-time container lifecycle monitoring
• Container creation and destruction tracking
• Image usage monitoring
• Container state change detection
• Network activity logging
• Volume mount tracking
• Docker daemon event collection
• Resource usage monitoring

​

Data Source Configuration

const DOCKER_GROUP_KEY = 'wazuh.integration.name';
const DOCKER_GROUP_VALUE = 'docker';

​

Monitored Events

​

Container Lifecycle Events

• create - Container created
• start - Container started
• stop - Container stopped
• restart - Container restarted
• pause - Container paused
• unpause - Container unpaused
• die - Container stopped (exit code captured)
• kill - Container killed
• destroy - Container removed

​

Container Operations

• attach - Attached to container
• commit - Container committed to image
• copy - Files copied to/from container
• exec - Command executed in container
• export - Container filesystem exported
• resize - Container terminal resized
• top - Container processes listed
• update - Container configuration updated

​

Image Events

• pull - Image pulled from registry
• push - Image pushed to registry
• tag - Image tagged
• untag - Image tag removed
• delete - Image deleted
• import - Image imported
• load - Image loaded from archive
• save - Image saved to archive

​

Network Events

• connect - Container connected to network
• disconnect - Container disconnected from network
• create - Network created
• destroy - Network removed

​

Volume Events

• create - Volume created
• mount - Volume mounted
• unmount - Volume unmounted
• destroy - Volume removed

​

Event Fields

• data.docker.Type - Event type (container, image, network, volume)
• data.docker.Action - Action performed (start, stop, create, etc.)
• data.docker.Actor.ID - Container or object ID
• data.docker.Actor.Attributes.image - Container image name
• data.docker.Actor.Attributes.name - Container name
• data.docker.from - Parent image
• data.docker.time - Event timestamp
• data.docker.timeNano - High-precision timestamp

​

Setup and Configuration

​

Prerequisites

• Docker Engine installed and running
• Wazuh agent installed on Docker host
• Access to Docker socket (/var/run/docker.sock)
• Appropriate permissions for Wazuh agent

​

Configuration Steps

1. Configure Docker Socket Access Add Wazuh user to Docker group:
   sudo usermod -aG docker wazuh
   
   Or configure Docker socket permissions:
   sudo chmod 666 /var/run/docker.sock
   
2. Configure Wazuh Agent Edit /var/ossec/etc/ossec.conf on the agent:
   <wodle name="docker-listener">
     <disabled>no</disabled>
     <attempts>5</attempts>
     <run_on_start>yes</run_on_start>
     <interval>10m</interval>
   </wodle>
   
3. Alternative: Remote Docker API For remote Docker daemon monitoring:
   <wodle name="docker-listener">
     <disabled>no</disabled>
     <attempts>5</attempts>
     <run_on_start>yes</run_on_start>
     <interval>10m</interval>
     <url>tcp://remote-docker-host:2375</url>
   </wodle>
   
   Note: Ensure Docker API is secured with TLS in production.
4. TLS Configuration (Recommended) For secure remote monitoring:
   <wodle name="docker-listener">
     <disabled>no</disabled>
     <url>tcp://remote-docker-host:2376</url>
     <ssl_verify_certificate>yes</ssl_verify_certificate>
     <ssl_ca_cert>/path/to/ca.pem</ssl_ca_cert>
     <ssl_cert>/path/to/cert.pem</ssl_cert>
     <ssl_key>/path/to/key.pem</ssl_key>
   </wodle>
   
5. Verify Configuration
   • Restart Wazuh agent: systemctl restart wazuh-agent
   • Check agent logs: tail -f /var/ossec/logs/ossec.log
   • Verify Docker events are being collected
   • Check dashboard for Docker events

​

Dashboard Visualizations

​

Overview Dashboard

• Top 5 Images - Most used container images
• Top 5 Events - Most frequent Docker events
• Events Over Time - Timeline of Docker activities
• Container Actions - Distribution of container operations
• Image Actions - Image-related operations

• plugins/main/public/components/overview/docker/dashboards/dashboard-panels.ts:4
• plugins/main/public/components/overview/docker/dashboards/dashboard-panels.ts:68

​

Filtering Events

wazuh.integration.name: "docker"

• By action: data.docker.Action: "start"
• By image: data.docker.Actor.Attributes.image: "nginx:latest"
• By container: data.docker.Actor.Attributes.name: "my-container"
• By type: data.docker.Type: "container"

​

Use Cases

​

Container Security Monitoring

• Runtime Security
  • Detect unauthorized container creation
  • Monitor privilege escalation attempts
  • Track suspicious exec commands
  • Identify unusual container behavior
• Image Security
  • Track image pull sources
  • Monitor unauthorized image usage
  • Detect unknown or unapproved images
  • Identify outdated or vulnerable images
• Access Control
  • Monitor Docker socket access
  • Track API authentication events
  • Identify unauthorized operations
  • Detect credential misuse

​

Compliance and Auditing

• Change Management
  • Container lifecycle audit trail
  • Configuration change tracking
  • Image version control
  • Deployment verification
• Regulatory Compliance
  • PCI DSS container isolation requirements
  • HIPAA container security monitoring
  • SOC 2 change management controls
  • NIST container security guidelines

​

Operational Monitoring

• Availability Tracking
  • Container crash detection
  • Restart loop identification
  • Failed container starts
  • Service availability monitoring
• Resource Management
  • Container resource usage tracking
  • Image storage consumption
  • Volume usage monitoring
  • Network usage analysis

​

DevOps and CI/CD

• Deployment Monitoring
  • Track container deployments
  • Monitor rollout progress
  • Identify deployment failures
  • Verify configuration updates
• Build Pipeline Security
  • Monitor image builds
  • Track registry pushes
  • Verify image signatures
  • Audit build artifacts

​

Common Security Scenarios

​

Detecting Cryptocurrency Mining

• Unexpected container creation
• High CPU usage containers
• Unknown base images
• Containers with suspicious names

​

Identifying Container Escapes

• Privileged container creation
• Host namespace access
• Unusual volume mounts
• Docker socket mounting

​

Supply Chain Attacks

• Image pull sources
• Unknown registry usage
• Image tag changes
• Unverified image pulls

​

Insider Threats

• After-hours container operations
• Mass container creation/deletion
• Sensitive data volume mounts
• Unauthorized image exports

​

Troubleshooting

​

No Events Appearing

• Permission Issues
  • Check Wazuh user Docker group membership
  • Verify Docker socket permissions
  • Review SELinux/AppArmor policies
• Configuration Issues
  • Verify wodle is enabled
  • Check Docker daemon is running
  • Ensure Docker socket path is correct
  • Review Wazuh agent logs

​

Connection Errors

• Local Socket
  # Test Docker socket access
  sudo -u wazuh docker ps
  
  # Check socket permissions
  ls -l /var/run/docker.sock
  
• Remote API
  # Test API connectivity
  curl https://remote-docker-host:2376/version
  
  # Verify TLS certificates
  openssl s_client -connect remote-docker-host:2376
  

​

Missing Specific Events

• Verify Docker daemon is logging events
• Check Docker daemon configuration
• Ensure event types are not filtered
• Review Docker version compatibility

​

Performance Issues

• Adjust polling interval based on container activity
• Implement event filtering at source
• Monitor Wazuh agent resource usage
• Consider dedicated monitoring agent for large deployments

​

Security Best Practices

1. Docker Daemon Security
   • Use TLS for remote API access
   • Implement authentication and authorization
   • Limit Docker socket exposure
   • Use rootless Docker when possible
2. Image Security
   • Use trusted registries only
   • Implement image scanning
   • Enforce image signing
   • Regular vulnerability assessments
3. Container Hardening
   • Run containers as non-root
   • Use read-only filesystems
   • Limit container capabilities
   • Implement resource constraints
4. Network Security
   • Isolate container networks
   • Use overlay networks for multi-host
   • Implement network policies
   • Monitor inter-container communication
5. Monitoring Strategy
   • Alert on critical events (privileged containers, etc.)
   • Regular audit log reviews
   • Baseline normal behavior
   • Implement anomaly detection

​

Advanced Configuration

​

Event Filtering

<wodle name="docker-listener">
  <disabled>no</disabled>
  <run_on_start>yes</run_on_start>
  <interval>10m</interval>
  <filter_events>
    <container>create,start,stop,die,kill,destroy</container>
    <image>pull,delete</image>
  </filter_events>
</wodle>

​

High-Volume Environments

<wodle name="docker-listener">
  <disabled>no</disabled>
  <interval>5m</interval>
  <attempts>3</attempts>
  <run_on_start>no</run_on_start>
  <buffer_size>8192</buffer_size>
</wodle>

​

Multiple Docker Hosts

• Centralized event collection
• Per-host event tagging
• Aggregated dashboard views
• Cross-host correlation

​

Integration with Orchestration

​

Kubernetes

• Deploy Wazuh agent as DaemonSet
• Monitor Docker events on each node
• Correlate with Kubernetes events
• Track pod lifecycle events

​

Docker Swarm

• Monitor manager nodes
• Track service deployments
• Monitor stack operations
• Audit secret usage

​

Docker Compose

• Track compose stack operations
• Monitor service dependencies
• Audit configuration changes
• Verify service health

​

Related Resources

• Cloud Integrations Overview
• GitHub Integration
• System Auditing
• Configuration Assessment
• Docker Security Documentation