Docker File Watcher

Designed to be built into docker containers, this Plugin Type will monitor and scan file system activity in locations that you can specify.

With the code up on GitHub the Plugin Type is readly extensible but can also be used out of the box with default configuration suitable for common scenarios.

The tool is open source so you can modify as you wish. Also see Docker File Watcher

Overview

This Plugin Type does ‘lazy’ On-Accessscanning for docker containers. There are official packages for Debian, Ubuntu, Fedora, CentOS and Alpine. This Plugin Type is a 64-bit native binary that is created with the requirements of a container environment in mind - small binary size, a very log memory footprint and quick scan times. This document shows how this Plugin Type can be used from all the supported Linux distributions

Use Your Own API Key

To use additional features and the privacy of your own account, after registering with Secplugs, sign in with your username and create an API key

After creating a key, specify it as the key to use in the Dockerfile

ENV SECPLUGS_API_KEY <copied api key>

Debian/Ubuntu

The following lines need to be added to your Dockerfile for Debian/Ubuntu

FROM ubuntu:latest
RUN apt install software-properties-common && apt update
RUN apt-add-repository -y ppa:secplugs/ppa
RUN apt update && apt install secplugs-container-plugin

The above pulls the latest ubuntu image from docker hub and adds the secplugs ppa repository to the list of repositories. The apt-add-repository utility needs software-properties-common and hence that gets installed first.

Likewise, for Debian, the following lines need to be added to your Dockerfile

FROM debian:latest
RUN apt install software-properties-common && apt update
RUN apt-key adv --keyserver <keyserver> --recv <key> && apt-add-repository -y 'deb https://packages.secplugs.com/debian/ stable main'
RUN apt update && apt install secplugs-container-plugin

The above pulls the latest debian image from docker hubs and adds the secplugs debian repository and its gpg keys to the container.

Both ubuntu and debian packages add the container plugin to be run in the background as a systemd service

Fedora/CentOS

The following lines need to be added to your Dockerfile for Fedora/CentOS based containers.

FROM fedora:latest
RUN wget -O /etc/yum.repos.d/secplugs.repo https://packages.secplugs.com/fedora/secplugs.repo
RUN echo <SHA> /etc/yum.repos.d/secplugs.repo | sha256sum --check --status
RUN dnf update && dnf install secplugs-container-plugins

Alpine

Alpine is the most popular Linux distribution for containers owing to its small size. So naturally, we have an alpine package for our secplugs docker plugin. The following lines need to be added to your Dockerfile for alpine based containers

FROM alpine:latest
echo "https://alpine.secplugs.com/packages" | tee -a /etc/apk/repositories
apk add secplugs-docker-plugin
rc-update add secplugs-docker-plugin
rc-service secplugs-docker-plugin start

Configuration

The only configuration that is needed for the secplugs-container-plugin is the /etc/secplugs/config.json file. For most common use cases, the only configuration that would be needed is the watchers property which tells the plugin which folders to monitor. The default configuration works for most common deployments

{
  "watchers": [
    "/lib",
    "/lib64",
    "/var/lib",
    "/etc/"
  ],
  "api_key": "secplugs-api-key-from-portal"
}

Contact

Having trouble? Contact Secplugs