cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

Audit docker TCP API sockets (re Doki malware)

Description: This query looks for listening docker daemon TCP sockets. These sockets are vulnerable to attacks including Doki malware, if not adequately protected. By default, docker does not open a TCP socket.

What The Data Shows: This query shows any TCP sockets listening from a binary with a path containing "%docker%". Any results should be investigated for proper configuration and security controls.

SQL:

 

SELECT l.port, p.pid, p.path, p.cmdline
  FROM listening_ports AS l
       LEFT JOIN processes p ON p.pid=l.pid
WHERE p.path LIKE "%docker%"
  AND port!=0;

 

0 Votes
1 Comment
Carbon Black Employee
Status changed to: Approved