Monitoring containers activity

The Docker wodle collects events on Docker containers such as starting, stopping or pausing.

Requirements

The following dependencies are required by the wodle:

  • Linux system.

  • Python 2.7 or newer.

  • Python Docker library: It can be installed with pip install docker command.

  • Starting with Wazuh v3.9.0 this requirement is met by default by the Wazuh manager and must only be installed in previous versions or Wazuh agents.

Configuration

Note

In the following examples, the configuration is done in the Docker host that collects the events sent from the Docker containers. This may be either a server with a Wazuh Agent or Manager installed.

In order to use the Docker listener module it is only necessary to enable the wodle in the /var/ossec/etc/ossec.conf file of the server running docker, or this can also be done through Centralized Configuration. It will start a new thread to listen to Docker events.

<wodle name="docker-listener">
    <disabled>no</disabled>
</wodle>

Then, it is necessary to restart the Wazuh service (where the listener will be running).

Use cases

Below, you can see some examples of alerts caused by containers activity.

Start a Docker container

The command docker start apache, which start a container called apache, generates the following alert:

{
"timestamp": "2018-10-05T17:15:33.892+0200",
"rule": {
    "level": 3,
    "description": "Container apache started",
    "id": "87903",
    "mail": false,
    "groups": [
    "docker"
    ]
},
"agent": {
    "id": "002",
    "name": "agent001",
    "ip": "192.168.122.19"
},
"manager": {
    "name": "localhost.localdomain"
},
"id": "1538752533.76076",
"cluster": {
    "name": "wazuh",
    "node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"start\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"start\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752533, \"timeNano\": 1538752533877226210}}",
"decoder": {
    "name": "json"
},
"data": {
    "integration": "docker",
    "docker": {
    "status": "start",
    "id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
    "from": "httpd",
    "Type": "container",
    "Action": "start",
    "Actor": {
        "ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
        "Attributes": {
        "image": "httpd",
        "name": "apache"
        }
    },
    "time": "1538752533",
    "timeNano": "1538752533877226240.000000"
    }
},
"location": "Wazuh-Docker"
}

Stop a Docker container

This alert is generated by using the command docker stop apache:

{
"timestamp": "2018-10-05T17:16:53.412+0200",
"rule": {
    "level": 3,
    "description": "Container apache stopped",
    "id": "87904",
    "mail": false,
    "groups": [
    "docker"
    ]
},
"agent": {
    "id": "002",
    "name": "agent001",
    "ip": "192.168.122.19"
},
"manager": {
    "name": "localhost.localdomain"
},
"id": "1538752613.100231",
"cluster": {
    "name": "wazuh",
    "node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"stop\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"stop\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752613, \"timeNano\": 1538752613407075872}}",
"decoder": {
    "name": "json"
},
"data": {
    "integration": "docker",
    "docker": {
    "status": "stop",
    "id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
    "from": "httpd",
    "Type": "container",
    "Action": "stop",
    "Actor": {
        "ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
        "Attributes": {
        "image": "httpd",
        "name": "apache"
        }
    },
    "time": "1538752613",
    "timeNano": "1538752613407075840.000000"
    }
},
"location": "Wazuh-Docker"
}

Pause a Docker container

With the command docker pause apache:

{
"timestamp": "2018-10-05T17:17:54.988+0200",
"rule": {
    "level": 3,
    "description": "Container apache paused",
    "id": "87905",
    "mail": false,
    "groups": [
    "docker"
    ]
},
"agent": {
    "id": "002",
    "name": "agent001",
    "ip": "192.168.122.19"
},
"manager": {
    "name": "localhost.localdomain"
},
"id": "1538752674.104889",
"cluster": {
    "name": "wazuh",
    "node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"pause\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"pause\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752674, \"timeNano\": 1538752674984734790}}",
"decoder": {
    "name": "json"
},
"data": {
    "integration": "docker",
    "docker": {
    "status": "pause",
    "id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
    "from": "httpd",
    "Type": "container",
    "Action": "pause",
    "Actor": {
        "ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
        "Attributes": {
        "image": "httpd",
        "name": "apache"
        }
    },
    "time": "1538752674",
    "timeNano": "1538752674984734720.000000"
    }
},
"location": "Wazuh-Docker"
}

Unpause a Docker container

This is the alert for docker unpause apache command:

{
"timestamp": "2018-10-05T17:18:35.373+0200",
"rule": {
    "level": 3,
    "description": "Container apache unpaused",
    "id": "87906",
    "mail": false,
    "groups": [
    "docker"
    ]
},
"agent": {
    "id": "002",
    "name": "agent001",
    "ip": "192.168.122.19"
},
"manager": {
    "name": "localhost.localdomain"
},
"id": "1538752715.105822",
"cluster": {
    "name": "wazuh",
    "node": "master"
},
"full_log": "{\"integration\": \"docker\", \"docker\": {\"status\": \"unpause\", \"id\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"from\": \"httpd\", \"Type\": \"container\", \"Action\": \"unpause\", \"Actor\": {\"ID\": \"018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620\", \"Attributes\": {\"image\": \"httpd\", \"name\": \"apache\"}}, \"time\": 1538752715, \"timeNano\": 1538752715369717277}}",
"decoder": {
    "name": "json"
},
"data": {
    "integration": "docker",
    "docker": {
    "status": "unpause",
    "id": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
    "from": "httpd",
    "Type": "container",
    "Action": "unpause",
    "Actor": {
        "ID": "018205fa7e170e32578b8487e3b7040aad00b8accedb983bc2ad029238ca3620",
        "Attributes": {
        "image": "httpd",
        "name": "apache"
        }
    },
    "time": "1538752715",
    "timeNano": "1538752715369717248.000000"
    }
},
"location": "Wazuh-Docker"
}