✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.3.2.5 Daemon Access Auditing

A focused guide to Daemon Access Auditing, connecting core concepts with practical Docker and container operations.

Daemon access auditing reviews who and what has actually had access to the Docker daemon over time, and what actions were taken, providing visibility needed to detect unauthorized access, investigate an incident, or simply confirm that access remains appropriately scoped.

Reviewing Current Daemon Access Grants

Periodically reviewing exactly who has local group membership or valid remote certificates for daemon access provides a baseline understanding of current access.

getent group docker

This reveals every user currently granted local daemon access through docker group membership, a starting point for confirming this access remains appropriately limited.

Enabling and Reviewing Daemon-Level Logging

Configuring the daemon to log relevant events provides a record that can be reviewed to understand what actions have actually been taken against it.

journalctl -u docker.service

Reviewing the daemon's own logs can reveal connection attempts, container lifecycle events, and other activity relevant to understanding actual daemon usage over time.

Why Auditing Matters Particularly After a Suspected Incident

If unauthorized daemon access is suspected, a thorough audit of recent daemon activity — what containers were created, what images were pulled, what commands were issued — is an essential part of understanding the actual scope of any compromise.

docker events --since 24h

Reviewing recent daemon events can help reconstruct what actually happened during a suspected incident window.

Establishing Regular, Proactive Auditing Rather Than Only Reactive Review

Rather than only reviewing access and activity after a suspected problem, establishing a regular, proactive auditing cadence helps catch an unauthorized access grant or unusual activity pattern before it becomes a more serious incident.

docker context ls
getent group docker
Why Daemon Access Auditing Matters

Given the severity of what daemon access actually grants, maintaining ongoing visibility into who has that access and what's actually being done with it is an essential complement to the access controls themselves, providing the ability to detect and investigate any deviation from expected, authorized usage.

Related content