Docker Hardening Guide - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Use the Docker Hardening Guide to configure the Cortex XSOAR settings when running Docker containers.

This guide describes the recommended Cortex XSOAR settings for securely running Docker containers. These settings can also be applied to Podman, with the exception of Limit Available Memory, Limit Available CPU, and Limit PIDS. We also recommend reviewing the Docker Network Hardening guide.


Docker hardening must be manually configured and is not applied by default at installation.

Use the Latest Docker Version

To securely run Docker containers, we recommend you use the latest Docker version.

Run Docker with a Non-Root Internal User

Running Docker containers with non-root internal users provides added security isolation and follows the principle of least privilege. For more information, see Run Docker with Non-Root Internal Users.

Limit Container Resources

To protect the host from a container using too many system resources (either because of a software bug or a DoS attack), limit the resources available for each container. In Cortex XSOAR, some of these settings are set using the advanced parameter:


This key receives as a parameter full docker run options, separated with the ## string.

Limit Available Memory

We recommend limiting available memory for each container to 1 GB.


On RHEL and CentOS 7.x distributions with Docker CE or EE with version 17.06 and later, ensure that your kernel fully supports kmem accounting or that it has been compiled to disable kmem accounting. The kmem accounting feature in Red Hat’s Linux kernel has been reported to contain bugs, which cause kernel deadlock or slow kernel memory leaks. This is caused by a patch introduced in runc, which turns on kmem accounting automatically when user memory limitation is configured, even if not requested by the Docker CLI setting --kernel-memory (see opencontainers/runc#1350). Using Red Hat's distribution of Docker based on version 1.13.1 users are not affected as this distribution of Docker does not include the runc patch. For more information see Red Hat’s Docker distribution documentation.

If you do not want to apply Docker memory limitations, you should explicitly set the advanced parameter: limit.docker.memory to false.

Swap Limit Support

Not all Linux distributions have the swap limit support enabled by default.

  • Red Hat and CentOS distributions usually have swap limit support enabled by default.

  • Ubuntu distributions usually have swap limit support disabled by default.

To check if your system supports swap limit capabilities, after logging into the Server machine console (ssh), run the following command:

sudo docker run --rm -it --memory=1g demisto/python:1.3-alpine true command.

If you see WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap. in the output (the message may vary between Docker versions), you have two options:

If swap limit capabilities is enabled, Configure the Memory Limitation.

To test the memory, see Test the Memory Limit.

Limit Available CPU

We recommend limiting each container to 1 CPU. See Limit Available CPU.

Limit PIDs

We recommend limiting each container to 256 PIDs. This value is sufficient for using threads and sub-processes, and protects against a fork bomb. You need to configure the PIDs limit, by setting the python.pass.extra.keys advanced parameter. If you have this key already set up with a value append to it the config after a ## separator.

Limit Open File Descriptors

We recommend using a soft/hard limit of 1024/8192 filed descriptors for each container process. You need to Configure the Open File Descriptors Limit. If you have this key already set up with a value, append to it the config after a ## separator.

Check the Docker Hardening Configuration

To test that the hardening configuration has been applied correctly use the DockerHardeningCheck automation.


The DockerHardeningCheck automation does not work with Podman.

Working with Engines

For each engine to which you want to apply Docker hardening, you need to edit the engine’s configuration to include the Docker hardening advanced parameters. For example, you would add the following snippet to the configuration JSON file:

{"": true,"limit.docker.cpu": true,"limit.docker.memory": true,"python.pass.extra.keys": "--pids-limit=256##--ulimit=nofile=1024:8192"}

You can run scripts on an engine. To verify the Docker container has been hardened according to recommended settings, run the DockerHardeningCheck automation on the engine.

Docker Images Specific Settings

You can apply more specific fine tuned settings to Docker images, according to the Docker image name or the Docker image name including the image tag. To apply settings to a Docker image name, use the advanced server configuration python.pass.extra.keys.<image_name>. For example, python.pass.extra.keys.demisto/dl.

To apply settings to a Docker image name including the image tag, use python.pass.extra.keys.<image_name>:<image_tag>. For example, python.pass.extra.keys.demisto/dl:1.4.

For example, to set the Docker images demisto/dl (all tags) to use a higher max memory value of 2GB and to remain with the recommended PIDs and ulimit, use the following:





If you apply Docker image specific settings, they will be used instead of the general python.pass.extra.keys setting. This will also override the general memory and CPU settings as needed.


To apply these settings to engines, edit each engine’s configuration file to include the advanced parameters.