Configure the SELinux Policy for PowerShell Integrations - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Change the SELinux Policy when running Powershell Integrations in Cortex XSOAR.

The SELinux Policy is a set of rules that guides the SELinux security engine, and defines types for file objects and domains for processes. When running in rootless mode, the default SELinux policy used by Podman may affect processes that mmap /dev/zero, which may affect running PowerShell integrations.

PowerShell integrations mmap /dev/zero as part of the .NET Core PInvoke capabilities.

To see whether PowerShell integrations can run in Cortex XSOAR, type the following command:

!pwsh script="$demisto.results('ok')"

If the SELinux policy blocks the mapping of /dev/zero an error is issued about OutOfMemoryException. For example, in the playground, you can see the error:

podman-error.png

You need to configure the policy module and then reset the containers. If you use engines with Podman, you need to apply the policy configuration on each engine machine.

Note

PowerShell integrations use an internal socket which may be blocked by SELinux depending upon the container-selinux version installed. It is recommended to use version 2.144.0 or higher for the container-selinux. To upgrade to the latest container-selinux run the sudo yum update container-selinux command.

  1. Fix the SELinux policy by installing the SELinux policy module.

    1. In the Cortex XSOAR Server, create the following file:

      podman_rootless.te

    2. Add the following content:

      module podman_rootless 1.0;
      
      require {
      	type zero_device_t;
      	type container_t;
      	class chr_file execute;
      }
      
      #============= container_t ==============
      allow container_t zero_device_t:chr_file execute;
    3. After running a PowerShell integration in Cortex XSOAR, generate the SELinux policy using the audit2allow tool by running the following command:

      sudo grep pwsh /var/log/audit/audit.log | audit2allow -m podman_rootless

    4. Compile the policy module by running the following commands:

      • checkmodule -M -m -o podman_rootless.mod podman_rootless.te

      • semodule_package -o podman_rootless.pp -m podman_rootless.mod

    5. Install the policy module by running the following command:

      sudo semodule -i podman_rootless.pp

  2. Add server configurations and reset the containers in Cortex XSOAR.

    Configure label confinement to allow Python and PowerShell containers to access other script folders.

    1. In Cortex XSOAR SettingsTroubleshootingServer Configuration, set the following parameters:

      • For Python containers, set python.pass.extra.keys to --security-opt=label=level:s0:c100,c200

      • For PowerShell containers, set powershell.pass.extra.keys to --security-opt=label=level:s0:c100,c200

    2. In the Cortex XSOAR CLI, run the /reset_containers command.

  3. Test the PowerShell script by running the following command:

    !pwsh script="$demisto.results('ok')"