Docker File Watcher

A ready to integrate, second opinion, on access scanner for Docker containers.
Summary

Designed to be built into docker containers, this Plugin Type will monitor and scan file system activity in locations that you can specify.

With the code up on GitHub the Plugin Type is readly extensible but can also be used out of the box with default configuration suitable for common scenarios.

About

What is the Docker File Watcher?

The Docker File Watcher is a inotify-based daemon that starts at system start up and keeps running as a system service, via systemd on most distributions.

What are the features?

  • Lazy On Access Scanning - Monitor file access and automatically submit files for analysis
  • Out of Box Defaults - Comes with default API keys and configuation so it works out of the box
  • Configurable Watch Directories - Configure which directories to watch for activity
  • Infected File Deletion - Delete infected files
  • Secplugs Portal - With a registered API key you can access all the core Secplugs features via the portal.

How does it work?

At startup, the daemon reads the configuration file and initialises the process with all the directories listed in the configuration. The daemon monitors for files created in or moved into the configured directories. When it detects a file, the file is sent to secplugs for a score based scan. If this scan detects this file to be malicious, the file is removed from the filesystem. This uses a very minimal configuration that is just enough. The list of directories to monitor is the only mandatory configuration. Other optional configurations include the vendor to use for scanning the files, and the API key.

How do I get started?

Simply download and install the package. Details vary so check the instructions for your target Linux Distro.

To use additional features and the privacy of your own account, after registering in Secplugs.com, login with your username and create an API key to use with the scripts. Replace the key in the samples or create new scripts using these as an example. Use can then use the Secplugs console to view activity, run reports and do deeper retrospective threat analysis.