Container logging and analysis revolves around 3 areas:
Container Service Logs - Service daemons record key events
Daemon events - Errors, status, and general events
Remote calls to APIs
Creation/Modification/Deletion of containers
Host operating system/platform logs
Amazon EKS offers logging events to Cloudwatch
Service logs
Logging Methods
Persistent data volume or bind mount - Log data is sent to a persistent location outside of the container. Often with syslog directly to the host OS
Application inside container - If the application itself has logging capabilities, they can be logged to locations outside of the container
Monitoring container (Sidecar) - A container for collecting logs from other containers
Daemon log drivers - Captures stdout and stderr of containers
Container Defense
Tools
Security Auditing and Vulnerability Scanners
βClair - Vulnerability Static Analysis for Containers
βWhaleScan - Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
βTrivy - Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
βSecretScanner - Find secrets and passwords in container images and file systems
βkubesploit - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
Docker
βDocker - A Docker container is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
βdocker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
βAnchore - A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
βkubernetes-the-hard-way - bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
βkubernetes-the-easy-way - bootstrap Kubernetes the easy way on Google Cloud Platform. No scripts.
βHubble is a Network, Service & Security Observability for Kubernetes using eBPF.
Offensive tools
βpeirates - a Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.
Security auditing
βkubesec - Security risk analysis for Kubernetes resources
βnetassert - This is a security testing framework for fast, safe iteration on firewall, routing, and NACL rules for Kubernetes (Network Policies, services) and non-containerised hosts (cloud provider instances, VMs, bare metal).