Observability and Security Monitoring in Containers and Containerized Applications

Intro

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.

Container images become containers at runtime and in the case of Docker containers — images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.

Observability and Metrics for Containers.

Agent: Telegraf

TSDB: InfluxDB

The Docker plugin for Telegraf collects images, running containers and metrics for each of the containers enabled in the host:

CONTAINER — CPU USAGE

CONTAINER — MEMORY USAGE

CONTAINER — NETWORK USAGE

Vulnerability Management

EDR: Wazuh Agent

Vulnerability scanner: Snyk

Wazuh and Snyk (snyk.io) integration to scan Docker image vulnerabilities.

Snyk will help you find and automatically fix vulnerabilities in your code, open source dependencies, containers, and infrastructure as code.

In this integration we’ll use Snyk’s CLI to scan for vulnerabilities in the Docker images and all their dependencies.

NOTE: Wazuh can use all the features available in an agent to monitor Docker servers and it can also monitor container activity. With the Snyk integration we aim at finding vulnerable packages included in the Docker images that might put the containerised applications at risk.

Snyk CLI

Snyk runs as a single binary, no installation required.

The Linux binary can be found here

This article from Snyk’s documentation explains how to use Snyk’s CLI for Docker security.

The Snyk CLI needs to be initialised before being used. In order to do that, you’ll have to create and register an account in their platform (snyk.io). The registration is free. More details on how to initialise the CLI here

Wazuh Capability:

Wodle Command configured to run periodic security scans in all Docker images used in the host. Full details in our Github repo.

Jq is used in the agent (Docker host) to filter and parse the Snyk CLI output.

Wazuh remote commands execution must be enabled (Docker host).

• Bash script to be run via wodle command will list all Docker images in the system and will run Snyk’s CLI to spot known vulnerabilities in all the packages used to build the image.
• The JSON output will be appended to the active responses log file.
  - Detection rules in Wazuh manager will trigger alerts based on the scan results.

VULNERABILITY SCAN — SUMMARY

VULNERABILITY SCAN — FULL REPORT

Security Events in Containers Using Falco

EDR: Wazuh Agent

Event Collector: Falco

Integrating Falco with the Wazuh agent security events in the containers can be collected and sent to the Wazuh manager for analysis and alerting.

CONTAINERS — SECURITY EVENTS

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html