I have an AWS EC2 instance with docker installed, running a default nginx container –
docker run -it --rm -d -p 8080:80 --name web nginx.
I have an rsyslog setup that successfully captures the
auth.log file for the host, so I can capture any login attempts to that machine. However, I’m wondering if there is any way I can capture container login attempts, i.e if someone gains access to the machine and runs
docker exec -it web bash.
While the container is running,
docker logs outputs anything the container is logging to stdout/err. But I haven’t found any documentation on container login attempts. Is
docker exec the correct way to try “logging in” to the container? Is this something I can feasibly capture? Does it make sense to? When I run
docker exec I haven’t seen it logged anywhere – host syslog, kernel.log, auth.log,
docker logs, nothing at all.
So, it doesn’t seem like container “logins” are even captured anywhere, and as long as the container is not running with privileged access I can’t imagine it’s too important. It seems that protecting the host is far more important.
More generally, if anyone is in the container poking around, running commands that require root etc., is this logged anywhere on the host? Or do I need to configure rsyslog in the container in order to capture such events.
Any insight would be greatly appreciated!