Check files integrity in a docker using OSSEC

Question

Can OSSEC be used to check files which on inside a docker. From what I have read OSSEC can only monitor file integrity of the Host machine.

Answer 1

Yes, you may configure an OSSEC or Wazuh agent to do File Integrity Monitoring within docker containers.

Docker uses the OverlayFS storage driver that places the file structure of containers within the /var/lib/docker/overlay2/ directory (or /var/lib/docker/overlay/ in older versions), more information on this can be found here: https://docs.docker.com/storage/storagedriver/overlayfs-driver/

To determine which is the folder of the container you wish to monitor, you may use the inspect command: docker inspect <container-name> | grep MergedDir and then configure OSSEC or Wazuh to monitor this path.

For example, let's say you have an nginx container and want to monitor its configuration files:

The first step is to determine the container's folder:

# docker inspect docker-nginx | grep MergedDir
                    "MergedDir": "/var/lib/docker/overlay2/4f38dc4ff95f934ad368ca2770e7641f5cd492c289d2fd717fee22bda60b3560/merged"

and then add the directory to monitor in the ossec.conf file of your OSSEC or Wazuh agent:

<syscheck>
  <directories check_all="yes" realtime="yes" restrict="*.conf">/var/lib/docker/overlay2/4f38dc4ff95f934ad368ca2770e7641f5cd492c289d2fd717fee22bda60b3560/merged/etc/nginx/</directories>
</syscheck>

A detailed explanation of how to configure File Integrity Monitoring can be found here: https://documentation.wazuh.com/3.13/user-manual/capabilities/file-integrity/fim-configuration.html

If you also want to monitor the docker server activity, you can use the Wazuh docker module: https://documentation.wazuh.com/3.13/docker-monitor/monitoring_containers_activity.html

Best regards,

Sandra.