Docker Hardening Guide - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-17
Category
Administrator Guide
Abstract

Use the Docker Hardening Guide to configure the Cortex XSIAM settings when running Docker containers.

This guide describes the recommended engine settings for securely running Docker containers. For each engine that you want to apply Docker hardening, you need to edit the engine configuration file to include the Docker hardening parameters.

When editing the configuration file, you can limit container resources, open file descriptors, limit available CPU, etc. For example, add the following keys to the configuration file:

{"docker.run.internal.asuser": true,"limit.docker.cpu": true,"limit.docker.memory": true,"python.pass.extra.keys": "--pids-limit=256##--ulimit=nofile=1024:8192"}

Tip

We recommend reviewing the Docker Network Hardening guide, before changing any parameters in the configuration file.

To securely run Docker containers, it is recommended to use the latest Docker version.

You can Check Docker Hardening Configurations to verify that the Docker container has been hardened according to the recommended settings.

In the configuration file, you can update the following:

Action

Description

Configure Docker Images

Fine tune settings for Docker images according to the Docker image name.

Limit Container Resources

Protects the engine machine from a container using too many system resources.

Limit Available Memory

We recommend limiting available memory for each container to 1 GB.

Limit Available CPU on Your System

It is recommended to limit each container to 1 CPU.

Configure the PIDs Limit

It is recommend limiting each container to 256 PIDs. This value is sufficient for using threads and sub-processes, and protects against a fork bomb.

Configure the Open File Descriptors Limit

It is recommend using a soft/hard limit of 1024/8192 filed descriptors for each container process.

Note

These settings can also be applied to Podman, with the exception of limiting available memory, limiting available CPU, and limiting PIDS.