Docker FAQs - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-11-14
End_of_Life
EoL
Category
Administrator Guide
Abstract

Frequently asked questions (FAQ) about Docker in Cortex XSOAR.

  • Does Cortex XSOAR use COPY or ADD for building images?

    Cortex XSOAR uses COPY for building images. The COPY instruction copies files from the local host machine to the container file system. Cortex XSOAR does not use the ADD instruction, which could potentially retrieve files from remote URLs and perform operations such as unpacking, introducing potential security vulnerabilities.

  • Should the --restart flag be used?

    The --restart flag should not be used. The server manages the lifecycle of Docker images and restarts images as needed.

  • Can we restrict containers from acquiring additional privileges by setting the no-new-privileges option?

    Cortex XSOAR does not support the no-privileges option. Some integrations and automations may need to change privileges when running as non-root user (such as Ping).

  • Can we apply a daemon-wide custom seccomp profile?

    The default seccomp profile from Docker is strongly recommended. The default seccomp profile provides protection as well as wide application compatibility. While you can apply a custom seccomp profile, Cortex XSOAR cannot guarantee that it won't block system calls used by an integration or script. If you apply a custom seccomp profile, you need to verify and test the profile with any integrations or scripts you plan to use.

  • Can we use TLS authentication for docker daemon configuration?

    TLS authentication is not used, because Cortex XSOAR does not use docker remote connections. All communication is done via the local Docker IPC socket.

  • Can we restrict Linux kernel capabilities within containers?

    The default Docker settings (recommended) include 14 kernel capabilities and exclude 23 kernel capabilities. Refer to Docker’s full list of runtime privileges and Linux capabilities.

    You can further exclude capabilities via advanced configuration, but will first need to verify that you are not using an automation that requires the capability. For example, Ping requires NET_RAW capability.

  • Is the Docker health check option implemented at runtime?

    The Cortex XSOAR server monitors the health of the containers and restarts/terminates containers as needed. The Docker health check option is not needed.

  • Can we enable live restore?

    Live restore is not used. Cortex XSOAR uses ephemeral docker containers. Every running container is stateless by design.

  • Can we restrict network traffic between containers?

    Cortex XSOAR does not disable inter-container communication by default, as there are use cases where this might be needed. For example, a script communicating with a long running integration which listens on a port, may require inter-container communication. If inter-container communication is not required, it can be disabled by modifying the Docker daemon configuration.

  • Can we enable user namespace remapping?

    Coretx XOSAR does not support user namespace remapping. Cortex XSOAR provides an option to run Docker as a non-root internal user.

  • How do we configure auditing for Docker files and directories?

    Auditing is an operating system configuration, and can be enabled in the operating system settings. Cortex XSOAR does not change the audit settings of the operating system.

  • Does Cortex XSOAR map privileged ports?

    Cortex XSOAR does not map privileged ports (TCP/IP port numbers below 1024).

  • Does Cortex XSOAR allow privileged execution?

    Cortex XSOAR does not allow privileged execution of Docker commands.

  • Does Cortex XSOAR run SSH within containers?

    Cortex XSOAR does not run SSH within containers.

  • Does Cortex XSOAR change the ownership of the socket?

    Cortex XSOAR doesn't change the ownership of the socket.

  • Can we disable the userland proxy?

    If the kernel supports hairpin NAT, you can disable docker userland proxy settings by modifying the Docker daemon configuration.

  • Does Cortex XSOAR support the AppArmor profile?

    Cortex XSOAR supports the default AppArmor profile (only relevant for Ubuntu with AppArmor enabled).

  • Does Cortex XSOAR support the SELinux profile?

    Cortex XSOAR supports the default SELinux profile (only relevant for RedHat with SELinux enabled).

  • How does Cortex XSOAR handle secrets management?

    For Docker swarm services, a secret is a blob of data, such as password, SSH private keys, SSL certificates, or other piece of data that should not be transmitted over a network or stored unencrypted in a Docker file or in your application’s source code. Cortex XSOAR manages integration credentials internally. It also supports using an external credentials service such as CyberArk.