HIDS for Docker Host

  • I am in the process of configuring wazuh for docker hosts. I would like to brainstorm a bit on here and figure out what may be important to monitor on these hosts vs standard VMs.

    Some of the things I have come up with so far:

    • Changes to any containers - create, start, stop, delete, etc

    • Any privilege escalation - docker containers should never be run as root. If root access is some how achieved within the container, they will have root access to the host. So any sudo or commands run as root would be REALLY bad

    • File Integrity Monitoring - Files should not change on hosts outside normal maintenance windows. Any file change on the host that isnt a log file or temp directory could be a really bad thing.

    So I am also monitoring all the same stuff I would on a normal host. I am just trying to think of any security challenges that may be unique to docker hosts.