Containers security monitoring

Wazuh is used to monitor for signs of security incidents across containers, alerting in real time. Wazuh protects container workloads at two different levels:

Infrastructure level

Wazuh provides the following mechanisms to monitor Docker hosts or Kubernetes nodes:

  • Integration with Docker engine and Kubernetes APIs: In this scenario, the Wazuh module for Docker acts as a subscriber. It listens for Docker or Kubernetes events, being able to alert when an anomaly or security incident is detected.

  • Wazuh agent deployment to Docker hosts and Kubernetes nodes: For a self-managed infrastructure, the deployment of the Wazuh agent provides a comprehensive set of security capabilities, such as malware detection, file integrity monitoring, configuration assessment, log data analysis, vulnerability detection and active responses.

  • Integration with hosted infrastructure providers (e.g. Google GKE, Amazon EKS, etc.): In this case, the Wazuh modules for cloud security monitoring download the managed service audit logs for security analysis.

Example of security alerts at an infrastructure level:

A Docker image is downloaded or updated

A container is running in privileged mode

Kubernetes configuration is changed

Hardening checks fail for the Docker host

A new container or Pod is created

A user runs a command or a shell inside a container

A new application is installed on the Docker host

Vulnerabilities are detected on the Docker host

Example of alert when a Docker container is created:

{
  "agent": {
      "id": "006",
      "ip": "10.0.1.214",
      "name": "RHEL7"
  },
  "data": {
      "docker": {
          "Action": "create",
          "Actor": {
              "Attributes": {
                  "image": "nginx",
                  "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>",
                  "name": "nginx_container"
              },
              "ID": "e9730949586a38d8ab25990234fb8ccba428e3ec1c8bfbf12fe08ed279aaf11d"
          },
          "Type": "container",
          "from": "nginx",
          "id": "e9730949586a38d8ab25990234fb8ccba428e3ec1c8bfbf12fe08ed279aaf11d",
          "scope": "local",
          "status": "create",
          "time": "1599186260",
          "timeNano": "1599186260265422592.000000"
      }
  },
  "rule": {
      "description": "Docker: Container nginx_container created",
      "level": 3,
      "id": "87901"
  },
  "timestamp": "2020-09-04T02:24:20.266+0000"
}

Example of alert when a command is executed inside a container:

{
  "agent": {
      "id": "006",
      "ip": "10.0.1.214",
      "name": "RHEL7"
  },
  "data": {
      "docker": {
          "Action": "exec_start: cat /etc/passwd",
          "Actor": {
              "Attributes": {
                  "execID": "363d220ce7a34c521707477d14b7700e4fb26987f9f4e27bc558788ce66570b4",
                  "image": "nginx",
                  "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>",
                  "name": "nginx_container"
              },
              "ID": "e9730949586a38d8ab25990234fb8ccba428e3ec1c8bfbf12fe08ed279aaf11d"
          },
          "Type": "container",
          "from": "nginx",
          "id": "e9730949586a38d8ab25990234fb8ccba428e3ec1c8bfbf12fe08ed279aaf11d",
          "scope": "local",
          "status": "exec_start: cat /etc/passwd",
          "time": "1599186799",
          "timeNano": "1599186799425748992.000000"
      }
  },
  "rule": {
      "description": "Docker: Command launched in container nginx_container",
      "level": 3,
      "id": "87907"
  },
  "timestamp": "2020-09-04T02:33:19.431+0000"
}

Container level

In order to get visibility at a container level, you can deploy the Wazuh agent to a Kubernetes DaemonSet container. This kind of deployment ensures that the Wazuh agent will run in all nodes of your Kubernetes cluster. Besides, other Kubernetes Pods will be able to send data (e.g. application log messages) to the DaemonSet container, so the agent can process it and forward it to the Wazuh server for security analysis.

Example of security alerts at a container level:

New process created in a container

File integrity monitoring alerts

New application installed in a container

Vulnerability detected in a container

Log analysis alert (e.g. Nginx event)

Hardening check failed in a container