In the last few years, container utilization to build, share, and run applications has grown significantly. This growth comes from the fact that containers give developers the ability to package application code and all its dependencies. Also, with containers, users can gain an extra layer of security thanks to the isolation capabilities it provides. The introduction of Docker containers has paved the way for many organizations to easily host applications within containers. Docker containers are standardized, lightweight, and secure runtime instances of a Docker image.

Containers out-of-the-box do not provide security monitoring. Therefore, it is important to have a comprehensive view of what is happening in runtime. This ensures that containers operate smoothly without security issues that can easily affect other containers and the entire infrastructure. Some security aspects to continuously watch out for when running Docker containers are:

• Container management: Docker container management involves supervising actions performed on a container to keep it running smoothly. Threat actors can get hold of containers and perform malicious activities such as viewing critical content, opening ports, creating, stopping or even destroying containers. Ability to distinguish unusual Docker events can be challenging. Observing these actions in near real-time as they occur can help organizations running Docker containers make better informed decisions.

• Container resource consumption: Monitoring the performance of a container provides insight into its resource utilization. Some core resources include CPU, memory, disk, and network traffic. With resource monitoring, organizations can track container resource consumption and set measures to increase efficiency. These actions prevent imbalances of container resources in Dockerized infrastructures. Additionally, it allows better visibility of infrastructures in the event of a security incident.

• Container health: Container health checks aid an organization in knowing its workload availability. The health status of a container is different from its actual state of operation. For example, a container can run while a web server running in the container may be down and unable to handle requests. This can be due to an attack that, if not monitored, can persist and cause damage to an organization. Monitoring the health status of a container helps to reduce an attack surface and prevent anomalies in the container.

Organizations need to identify and resolve threats quickly and proactively to avoid risks of compromise. For this, keeping track of the above criteria is indispensable and can be accomplished through the use of security monitoring solutions.

Wazuh is an open source security platform with unified XDR and SIEM capabilities. Its architecture comprises the Wazuh central components (server, indexer, and dashboard) and a universal agent. The solution provides protection for devices in clouds and on-premises infrastructures. Wazuh has many features ranging from container monitoring, file integrity monitoring, vulnerability detection, security configuration assessment, and more. Wazuh is multi-platform and expands its flexibility through integration with other security solutions.

Figure 1 below shows an example of real-time monitoring of Docker containers using Wazuh.

Figure 1: Real-time monitoring of Docker containers using Wazuh

For the use cases below, the Wazuh agent is installed on endpoints running Docker containers. The agent collects security and runtime data from the containers and forwards it to the Wazuh server for log analysis, correlation, and alerting.

Monitoring container events

Wazuh has a Docker module that communicates with the Docker Engine API to gather information on Docker containers. The only configuration necessary is to enable the Docker listener module to allow us to monitor Docker events. The Wazuh dashboard in Figure 2 below shows an example of detected container events in a Docker environment.

Figure 2: Docker events detected in a Docker environment

Monitoring container resource utilization

Wazuh can be used to monitor the performance of Docker containers in an endpoint.  The Wazuh command monitoring module allows you to monitor the output of specific commands and trigger alerts accordingly. This gives organizations a clear view of the container for abnormal activities. The Wazuh dashboard in Figure 3 below shows the CPU, memory, and network traffic consumption of containers in an endpoint. 

Figure 3: Resource consumption of containers in a Docker environment

Monitoring container health

The Wazuh command monitoring module is used to monitor the health status of containers in Dockerized environments. Figure 4 below shows the health status of containers running on an endpoint.

Figure 4: Health status of containers in a Docker environment

Robust monitoring and easy debugging are key factors for container security. This ensures complete coverage of metrics and the events happening in your Dockerized container infrastructures. We have seen how Wazuh facilitates and improves an organization's visibility through its container security monitoring capabilities. Visit this documentation to get a detailed explanation of how to perform container monitoring with Wazuh.

Wazuh is free to use, easy to deploy, and has a continuously growing community that supports thousands of users. To get started with Wazuh, visit the Quickstart installation guide and explore the features it provides.