Run Docker with Non-Root Internal Users - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-12-05
End_of_Life
EoL
Category
Administrator Guide
Abstract

Run Docker with non-root internal users and for containers that do not support non-root internal users.

For additional security isolation, we recommend running Docker containers as non-root internal users. This follows the principle of least privilege.

  1. Configure Cortex XSOAR Server to execute containers as non-root internal users.

    1. Select SettingsAboutTroubleshootingAdd Server Configuration.

    2. Add the following:

      Key

      Value

      docker.run.internal.asuser

      true

    3. Click Save.

    4. Reset the running containers using one of the following methods:

      From the Cortex XSOAR CLI, type the following command.

      /reset_containers

      Alternatively, restart the Cortex XSOAR Server.

    5. From the Cortex XSOAR CLI, type the following command to check if the container is running as a non-root internal user:

      !py script="import os;print(os.getuid())"

      If the server configuration was added successfully and the container is running with a non-root internal user, the output is a non-zero UID.

      docker-config.png

      If the server configuration was not configured correctly and the container is running with an internal root user, the output is 0.

  2. For containers that do not support non-root internal users.

    1. Select SettingsAboutTroubleshootingAdd Server Configuration.

    2. Add the following:

      Key

      Value

      docker.run.internal.asuser.ignore

      A CSV list of container names. The Cortex XSOAR server matches the container names according to the prefixes of the key values.

      For example, docker.run.internal.asuser.ignore=demisto/python3:,demisto/python:

      The Cortex XSOAR server matches the key values for the following containers:

      demisto/python:1.3-alpine

      demisto/python:2.7.16.373

      demisto/python3:3.7.3.928

      demisto/python3:3.7.4.977

      The : character should be used to limit the match to the full name of the container. For example, using the : character does not find demisto/python-deb:2.7.16.373.