Frequently asked questions (FAQ) about Docker in Cortex XDR.
Does Cortex XDR use COPY or ADD for building images?
Cortex XDR uses COPY for building images. The COPY instruction copies files from the local host machine to the container file system. Cortex XDR does not use the ADD instruction, which could potentially retrieve files from remote URLs and perform operations such as unpacking, introducing potential security vulnerabilities.
Should the
--restart flagbe used?The --restart flag should not be used. Cortex XDR manages the lifecycle of Docker images and restarts images as needed.
Can we restrict containers from acquiring additional privileges by setting the no-new-privileges option?
Cortex XDR does not support the no-new-privileges option. Some integrations and scripts may need to change privileges when running as a non-root user (such as Ping).
Can we apply a daemon-wide custom seccomp profile?
The default seccomp profile from Docker is strongly recommended. The default seccomp profile provides protection as well as wide application compatibility. While you can apply a custom seccomp profile, Cortex XDR cannot guarantee that it won't block system calls used by an integration or script. If you apply a custom seccomp profile, you need to verify and test the profile with any integrations or scripts you plan to use.
Can we use TLS authentication for docker daemon configuration?
TLS authentication is not used, because Cortex XDR does not use Docker remote connections. All communication is done via the local Docker IPC socket.
How do we set the logging level to
info?Set the log level in the Docker daemon configuration file.
Can we restrict Linux kernel capabilities within containers?
The default Docker settings (recommended) include 14 kernel capabilities and exclude 23 kernel capabilities. Refer to Docker’s full list of runtime privileges and Linux capabilities.
You can further exclude capabilities via advanced configuration, but will first need to verify that you are not using a script that requires the capability. For example, Ping requires
NET_RAWcapability.
Is the Docker health check option implemented at runtime?
The Cortex XDR tenant monitors the health of the containers and restarts/terminates containers as needed. The Docker health check option is not needed.
Can we enable live restore?
Live restore is not used. Cortex XDR uses ephemeral Docker containers. Every running container is stateless by design.
Can we restrict network traffic between containers?
Cortex XDR does not disable inter-container communication by default, as there are use cases where this might be needed. For example, a script communicating with a long running integration which listens on a port, may require inter-container communication. If inter-container communication is not required, it can be disabled by modifying the Docker daemon configuration.
Can we enable user namespace remapping?
Cortex XDR does not support user namespace remapping.
How do we configure auditing for Docker files and directories?
Auditing is an operating system configuration, and can be enabled in the operating system settings. Cortex XDR does not change the audit settings of the operating system.
Can we disable the userland proxy?
If the kernel supports hairpin NAT, you can disable docker userland proxy settings by modifying the Docker daemon configuration.
Does Cortex XDR support the AppArmor profile?
Cortex XDR supports the default AppArmor profile (only relevant for Ubuntu with AppArmor enabled).
Does Cortex XDR support the SELinux profile?
Cortex XDR supports the default SELinux profile (only relevant for RedHat with SELinux enabled).
How does Cortex XDR handle secrets management?
For Docker swarm services, a secret is a blob of data, such as password, SSH private keys, SSL certificates, or other piece of data that should not be transmitted over a network or stored unencrypted in a Docker file or in your application’s source code. Cortex XDR manages integration credentials internally. It also supports using an external credentials service such as CyberArk.