Wazuh Container Security - Docker and Kubernetes
Wazuh provides container environment security monitoring through the Docker listener module and integration with Kubernetes audit logs. The platform tracks container lifecycle events, user actions on Docker resources, and changes in orchestrated deployments. Container security complements traditional host-based monitoring and ensures visibility in dynamic environments where containers are created and destroyed within minutes.
Docker Listener Module
The docker-listener module monitors Docker daemon events: container starts and stops, image downloads, command execution inside containers, and other operations.
Configuration
The module is configured in ossec.conf on the agent installed on the Docker host:
<wodle name="docker-listener">
<interval>10m</interval>
<attempts>5</attempts>
<run_on_start>yes</run_on_start>
<disabled>no</disabled>
</wodle>Configuration Parameters
| Parameter | Default | Description |
|---|---|---|
disabled | no | Enable or disable the module (yes/no) |
interval | 1m | Interval between event checks (s/m/h/d) |
attempts | 5 | Number of retry attempts on connection failure |
run_on_start | yes | Start on agent service startup (yes/no) |
Advanced Scheduling
<!-- Execute at a specific time -->
<wodle name="docker-listener">
<time>00:00</time>
<disabled>no</disabled>
<attempts>3</attempts>
</wodle>
<!-- Execute on specific days of the week -->
<wodle name="docker-listener">
<wday>monday</wday>
<time>06:00</time>
<disabled>no</disabled>
</wodle>Prerequisites
The module requires:
- Python 3 installed on the Docker host
- Docker SDK for Python:
pip3 install docker - The Wazuh agent must have access to the Docker socket (
/var/run/docker.sock)
Docker Event Monitoring
The Docker listener tracks the following event categories:
Container Events
| Event | Description |
|---|---|
start | Container started |
stop | Container stopped |
create | Container created |
destroy | Container removed |
pause / unpause | Container paused and resumed |
restart | Container restarted |
exec_create / exec_start | Command executed inside container |
die | Container crashed |
kill | Container forcefully terminated |
attach | Attached to container |
Image Events
| Event | Description |
|---|---|
pull | Image downloaded from registry |
push | Image pushed to registry |
delete | Image deleted |
tag | Tag assigned to image |
import | Image imported |
Volume and Network Events
| Event | Description |
|---|---|
volume create / destroy | Volume created or removed |
network connect / disconnect | Network connected or disconnected |
Alert Example
When a container starts, Wazuh generates an alert with the following structure:
{
"rule": {
"id": "87903",
"level": 3,
"description": "Docker: Container started"
},
"data": {
"docker": {
"Type": "container",
"Action": "start",
"Actor": {
"Attributes": {
"image": "nginx:latest",
"name": "web-server"
}
}
}
}
}Container Runtime Monitoring
Beyond Docker API events, Wazuh monitors processes and the filesystem inside containers when an agent is deployed directly within the container.
Deploying the Agent in a Container
The Wazuh agent can be deployed as a sidecar container or embedded in the application image:
# docker-compose.yml
services:
wazuh-agent:
image: wazuh/wazuh-agent:4.14.3
environment:
- WAZUH_MANAGER=wazuh-manager
- WAZUH_AGENT_NAME=docker-agent-01
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/log:/var/log:ro
restart: unless-stopped
network_mode: hostEmbedding the Agent via Dockerfile
To embed the agent in an application container:
FROM ubuntu:22.04
RUN apt-get update && \
apt-get install -y curl apt-transport-https && \
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --dearmor -o /usr/share/keyrings/wazuh.gpg && \
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list && \
apt-get update && \
apt-get install -y wazuh-agent && \
apt-get clean
COPY ossec.conf /var/ossec/etc/ossec.conf
CMD ["/var/ossec/bin/wazuh-control", "start"]Container Log Monitoring
To collect logs from containers, configure localfile on the Docker host:
<localfile>
<log_format>json</log_format>
<location>/var/lib/docker/containers/*/*.log</location>
</localfile>Kubernetes Auditing
Wazuh integrates with Kubernetes through collection and analysis of cluster audit logs. The Kubernetes audit log records all requests to the API server, enabling tracking of resource creation, modification, and deletion.
Kubernetes Audit Policy Configuration
Create an audit policy file for the Kubernetes API server:
# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
resources:
- group: ""
resources: ["pods", "services", "configmaps", "secrets"]
- level: RequestResponse
resources:
- group: "rbac.authorization.k8s.io"
resources: ["clusterroles", "clusterrolebindings"]
- level: Request
resources:
- group: ""
resources: ["pods/exec", "pods/attach"]Collecting Kubernetes Audit Logs in Wazuh
Configure forwarding of Kubernetes audit logs to the Wazuh agent:
<localfile>
<log_format>json</log_format>
<location>/var/log/kubernetes/audit/audit.log</location>
</localfile>Critical Kubernetes Events
Wazuh includes rules for detecting the following Kubernetes events:
- Creation of privileged containers
- RBAC role and role binding modifications
- Access to cluster secrets
- Command execution via
kubectl exec - Containers created with hostPath mounts
- Network policy changes
Container Detection Rules
Wazuh includes a set of built-in rules for container environments. Examples of custom rules:
Detecting a Privileged Container
<rule id="100300" level="12">
<if_sid>87901</if_sid>
<field name="docker.Actor.Attributes.Privileged">true</field>
<description>Docker: Privileged container started - $(docker.Actor.Attributes.name)</description>
<mitre>
<id>T1610</id>
</mitre>
<group>container_security,privilege_escalation,</group>
</rule>Detecting exec in a Container
<rule id="100301" level="8">
<if_sid>87903</if_sid>
<field name="docker.Action">exec_start</field>
<description>Docker: Command executed inside container - $(docker.Actor.Attributes.name)</description>
<mitre>
<id>T1609</id>
</mitre>
<group>container_security,command_execution,</group>
</rule>Detecting Image Pull from Untrusted Registry
<rule id="100302" level="10">
<if_sid>87904</if_sid>
<field name="docker.Action">pull</field>
<field name="docker.Actor.Attributes.name" negate="yes">^docker\.io|^registry\.internal</field>
<description>Docker: Image pulled from untrusted registry</description>
<group>container_security,supply_chain,</group>
</rule>Docker Dashboard in Wazuh
The Wazuh Dashboard provides a dedicated view for container events. The dashboard displays:
- Container event timeline
- Statistics by event type (start, stop, exec)
- List of active containers
- Security events related to containers
- Image information and versions
Access the dashboard: Wazuh Dashboard - Modules - Docker Listener.
More about Wazuh installation: Quick Start
Troubleshooting
Docker Listener Not Collecting Events
- Verify Python 3 and Docker SDK are installed:
pip3 show docker - Confirm the agent has access to
/var/run/docker.sock - Check the
wazuhuser has read permissions on the Docker socket - Review
/var/ossec/logs/ossec.logfor module errors
Kubernetes Events Not Processed
- Verify the Kubernetes audit policy is applied to the API server
- Confirm the audit log path is correct in
<location> - Check the audit log format: it must be JSON
- Verify Kubernetes rules are loaded in Wazuh
Agent in Container Cannot Connect to Manager
- Verify network connectivity between the container and the manager
- Confirm the
WAZUH_MANAGERvariable points to the correct address - Check that port 1514 (TCP/UDP) is accessible to the agent
- When using
network_mode: host, check the host firewall rules
High Event Volume
- Configure Docker event filtering through Wazuh rules
- Increase the
<interval>in the docker-listener configuration - Exclude noisy events (healthcheck, stats) through custom rules
More about log collection: Wazuh Log Data Collection
More about Active Response: Active Response