In the last few years, container utilization to build, share, and run applications has grown significantly. This growth comes from the fact that containers give developers the ability to package application code and all its dependencies. Also, with containers, users can gain an extra layer of security thanks to the isolation capabilities it provides. The introduction of Docker containers has paved the way for many organizations to easily host applications within containers. Docker containers are standardized, lightweight, and secure runtime instances of a Docker image.
Containers out-of-the-box do not provide security monitoring. Therefore, it is important to have a comprehensive view of what is happening in runtime. This ensures that containers operate smoothly without security issues that can easily affect other containers and the entire infrastructure. Some security aspects to continuously watch out for when running Docker containers are:
Organizations need to identify and resolve threats quickly and proactively to avoid risks of compromise. For this, keeping track of the above criteria is indispensable and can be accomplished through the use of security monitoring solutions.
Wazuh is an open source security platform with unified XDR and SIEM capabilities. Its architecture comprises the Wazuh central components (server, indexer, and dashboard) and a universal agent. The solution provides protection for devices in clouds and on-premises infrastructures. Wazuh has many features ranging from container monitoring, file integrity monitoring, vulnerability detection, security configuration assessment, and more. Wazuh is multi-platform and expands its flexibility through integration with other security solutions.
Figure 1 below shows an example of real-time monitoring of Docker containers using Wazuh.
Figure 1: Real-time monitoring of Docker containers using Wazuh
For the use cases below, the Wazuh agent is installed on endpoints running Docker containers. The agent collects security and runtime data from the containers and forwards it to the Wazuh server for log analysis, correlation, and alerting.
Wazuh has a Docker module that communicates with the Docker Engine API to gather information on Docker containers. The only configuration necessary is to enable the Docker listener module to allow us to monitor Docker events. The Wazuh dashboard in Figure 2 below shows an example of detected container events in a Docker environment.
Figure 2: Docker events detected in a Docker environment
Wazuh can be used to monitor the performance of Docker containers in an endpoint. The Wazuh command monitoring module allows you to monitor the output of specific commands and trigger alerts accordingly. This gives organizations a clear view of the container for abnormal activities. The Wazuh dashboard in Figure 3 below shows the CPU, memory, and network traffic consumption of containers in an endpoint.
Figure 3: Resource consumption of containers in a Docker environment
The Wazuh command monitoring module is used to monitor the health status of containers in Dockerized environments. Figure 4 below shows the health status of containers running on an endpoint.
Figure 4: Health status of containers in a Docker environment
Robust monitoring and easy debugging are key factors for container security. This ensures complete coverage of metrics and the events happening in your Dockerized container infrastructures. We have seen how Wazuh facilitates and improves an organization's visibility through its container security monitoring capabilities. Visit this documentation to get a detailed explanation of how to perform container monitoring with Wazuh.
Wazuh is free to use, easy to deploy, and has a continuously growing community that supports thousands of users. To get started with Wazuh, visit the Quickstart installation guide and explore the features it provides.