Docker Image Security - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-10-06
Category
Administrator Guide
Abstract

Information about Cortex XSIAM Docker image security practices.

The project that contains the source Dockerfiles used to build the images and the accompanying files is fully open source and available for review. Cortex XSOAR uses the secure Docker Hub registry for its Docker images. However, when using Cortex XSOAR on-prem, or in an Engine environment, you can also use the PANW registry . You can view the Docker trust information for each image at the image info branch.Use the Cortex XSOAR Container Registry

docker-trust.png

We automatically update our open source Docker images and their accompanying dependencies (OS and Python). Examples of automatic updates can be viewed on GitHub.

We maintain Docker image information which includes information on Python packages, OS packages and image metadata for all our Docker images. Data image information is updated nightly.

All of our images are continuously scanned using Prisma Cloud for known and newly published vulnerabilities, in two scenarios:

  • Every new image, and every new version of an image, are scanned before publishing to our public registries, as part of our CI/CD process.

  • All existing images are continuously scanned to check whether new vulnerabilities were published and now exist in those images.

We evaluate all critical/high findings and actively work to prevent and mitigate security vulnerabilities.

Cortex XSIAM ensures container images are fully patched and do not contain unnecessary packages. Patches and dependencies are applied automatically via our open source docker files build project.

Response Prioritization

We remediate any critical and high level vulnerabilities, irrespective of who found them. Issues may be discovered by external researchers, found during internal testing, encountered by customers or reported by other organizations and vendors.

Any vulnerability with a possible exploitation against our images would be responded to with utmost urgency. If we conclude that there is a risk for our customers we will issue an advisory with recommended actions and mitigations. Advisories are published at: https://security.paloaltonetworks.com/.

In each version release (every 3 months,) we publish a new version of our content, that will use the latest and secure versions of our images.

Troubleshooting
  • Purge old and unused images periodically.

  • If you scanned the Docker images locally, and found some critical CVE’s - Make sure you use the latest version of the pack, as it should have the latest version of the image. In addition, purge the old and unused image with vulnerabilities.