Use the Docker Hardening Guide to configure the Cortex XSOAR settings when running Docker containers.
The following topics describe the recommended Cortex XSOAR settings for securely running Docker containers on Ubuntu, using iptables to restrict IP access. These settings can also be applied to Podman, with the exception of Limit Available Memory, Limit Available CPU, and Limit PIDS. We also recommend reviewing Docker Network Hardening.
Note
Docker hardening must be manually configured and is not applied by default at installation.
Use the Latest Docker Version
To securely run Docker containers, we recommend you use the latest Docker version.
Run Docker with a Non-Root Internal User
Running Docker containers with non-root internal users provides added security isolation and follows the principle of least privilege. For more information, see Run Docker with Non-Root Internal Users.
Limit Container Resources
To protect the host from a container using too many system resources (either because of a software bug or a DoS attack), limit the resources available for each container. In Cortex XSOAR, some of these settings are set using the advanced parameter:
python.pass.extra.keys
.
This key receives as a parameter full docker run
options, separated with the ##
string.
Limit Available Memory
We recommend limiting available memory for each container to 1 GB.
Note
On RHEL distributions with Docker CE or EE with version 17.06 and later, ensure that your kernel fully supports kmem
accounting or that it has been compiled to disable kmem
accounting. The kmem
accounting feature in Red Hat’s Linux kernel has been reported to contain bugs, which cause kernel deadlock or slow kernel memory leaks. This is caused by a patch introduced in runc, which turns on kmem
accounting automatically when user memory limitation is configured, even if not requested by the Docker CLI setting --kernel-memory
(see opencontainers/runc#1350). Using Red Hat's distribution of Docker based on version 1.13.1 users are not affected as this distribution of Docker does not include the runc
patch. For more information see Red Hat’s Docker distribution documentation.
If you do not want to apply Docker memory limitations, you should explicitly set the advanced parameter: limit.docker.memory
to false
.
Swap Limit Support
Not all Linux distributions have the swap limit support enabled by default.
Red Hat distributions usually have swap limit support enabled by default.
Ubuntu distributions usually have swap limit support disabled by default.
To check if your system supports swap limit capabilities, after logging into the Server machine console (ssh), run the following command:
sudo docker run --rm -it --memory=1g demisto/python:1.3-alpine true
command.
If you see WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
in the output (the message may vary between Docker versions), you have two options:
Configure
swap limit capabilities
by following the Docker documentation.Configure Memory Limit Support Without Swap Limit Capabilities.
If swap limit capabilities
is enabled, Configure the Memory Limitation.
To test the memory, see Test the Memory Limit.
Limit Available CPU
We recommend limiting each container to 1 CPU. See Limit Available CPU.
Limit PIDs
We recommend limiting each container to 256 PIDs. This value is sufficient for using threads and sub-processes, and protects against a fork bomb. You need to configure the PIDs limit, by setting the python.pass.extra.keys
advanced parameter. If you have this key already set up with a value append to it the config after a ## separator.
Limit Open File Descriptors
We recommend using a soft/hard limit of 1024/8192 filed descriptors for each container process. You need to Configure the Open File Descriptors Limit. If you have this key already set up with a value, append to it the config after a ## separator.
Check the Docker Hardening Configuration
To test that the hardening configuration has been applied correctly use the DockerHardeningCheck
automation.
Note
The DockerHardeningCheck
automation does not work with Podman.
Working with Engines
For each engine to which you want to apply Docker hardening, you need to edit the engine’s configuration to include the Docker hardening advanced parameters. For example, you would add the following snippet to the configuration JSON file:
{"docker.run.internal.asuser": true,"limit.docker.cpu": true,"limit.docker.memory": true,"python.pass.extra.keys": "--pids-limit=256##--ulimit=nofile=1024:8192"}
You can run scripts on an engine. To verify the Docker container has been hardened according to recommended settings, run the DockerHardeningCheck
automation on the engine.
Docker Images Specific Settings
You can apply more specific fine tuned settings to Docker images, according to the Docker image name or the Docker image name including the image tag. To apply settings to a Docker image name, use the advanced server configuration python.pass.extra.keys.
. For example, <image_name>
python.pass.extra.keys.demisto/dl
.
To apply settings to a Docker image name including the image tag, use python.pass.extra.keys.
. For example, <image_name>
:<image_tag>
python.pass.extra.keys.demisto/dl:1.4
.
For example, to set the Docker images demisto/dl (all tags)
to use a higher max memory value of 2GB and to remain with the recommended PIDs and ulimit, use the following:
Key | Value |
---|---|
|
|
If you apply Docker image specific settings, they will be used instead of the general python.pass.extra.keys setting. This will also override the general memory and CPU settings as needed.
Note
To apply these settings to engines, edit each engine’s configuration file to include the advanced parameters.