Docker container support is native for Agents in Investigate and legacy packages. To enable Docker, contact the Support Team or your customer success manager.
While running the Linux Agent 2.x+ in a Docker containerized environment, an error message might appear in your log files stating you are running an unsupported version of Docker. We apologize for the inconvenience and recommend disregarding this error. For additional information about our supported versions for Docker containers, see System Requirements.
Docker Feature Overview
Docker container events integrate seamlessly into the security, operations, and compliance feature sets of the App Infrastructure Protection (AIP) Cloud Security Platform® (CSP). Additionally, AIP provides a default Docker rule set called the Docker Rule Set.
We support the following Docker features:
- Audit events related to Docker Containers on the host
- Audit user and process activity on the Docker Containers
- Audit file change events with Docker Container file systems
The AIP Docker support was designed with the following use cases in mind:
|Host Actions Related to Docker||Know when a new Docker image is pulled or run|
|User Actions on Container||Receive an alert on any user executing shell commands in the container.|
|Docker Configuration files on Host||Audit all Docker configuration files on the host.|
|File Changes on Container||Audit any file changes on the container.|
|Network Connections to/from Containers||Know if any network connection initiations to/from the container and get alerted on deviations.|
Docker Specific Event Keys
Support for Docker includes these additional, specific to Docker, keys which help event searches and rules.
|Key||Type||Value Description||Present in event types|
|containerId||string||ID number assigned to a container||Docker events|
|containerImage||string||Image name and tag of a container||Docker events|
Search Docker Events
On the Events page, you can search for Docker events using specific containerIds. For all Docker events, you can do a search on containerId != null