Docker Daemon Configuration

LinuxSystem ConfigurationDockerDisk Image

Location

/etc/docker/daemon.json, systemd service overrides, and docker info output

Description

Docker host configuration including daemon.json settings, registry mirrors, log-driver selection, insecure registries, live-restore behavior, cgroup driver, and systemd unit overrides for the Docker service.

Forensic Value

Daemon configuration explains the security posture of the host and can reveal attacker-introduced weakening such as insecure registries, debug logging changes, altered default runtimes, or log-driver choices that affect evidence retention. It also shows whether the host was configured to trust attacker-controlled registries or to bypass expected isolation settings.

Tools Required

cpsystemctldocker infodiff

Collection Commands

cp /etc/docker/daemon.json /forensics/output/docker_daemon.json 2>/dev/null

systemctl

systemctl cat docker > /forensics/output/docker_systemd_unit.txt

docker

docker info --format "{{json .}}" > /forensics/output/docker_info.json

Collection Constraints

•Daemon configuration is point-in-time evidence and may not prove who changed it without supporting audit or shell history artifacts.
•Host-level service overrides and environment files should be preserved together to avoid partial configuration capture.

MITRE ATT&CK Techniques

T1578T1562

References

Configure the Docker daemon

Acquisition Methods

tar Logical Collection

linux — logical

rsync Targeted Collection

linux — logical