Run Docker with Non-Root Internal Users

Follow these instructions to run Docker with non-root internal users and for containers that do not support non-root internal users.
For additional security isolation, we recommend running Docker containers as non-root internal users. This follows the principle of least privilege.
  1. Configure Cortex XSOAR Server to execute containers as non-root internal users.
    1. Select
      Settings
      About
      Troubleshooting
      Add Server Configuration
      .
    2. Add the following:
      Key
      Value
      docker.run.internal.asuser
      true
    3. Click
      Save
      .
    4. Reset the running containers using on of the following methods:
      From the Cortex XSOAR CLI, type
      /reset_containters
      command.
      Alternatively, restart the Cortex XSOAR Server.
    5. From the Cortex XSOAR CLI, type the following command to check if the container is running as non-root internal user:
      !py script="import os;print(os.getuid())"
      If the server configuration was added successfully and the container is running with a non-root internal user, the output is a non-zero UID.
      docker-config.png
      If the server configuration was not configured correctly and the container is running with an internal root user, the output is
      0
      .
  2. For containers that do not support non-root internal users.
    1. Select
      Settings
      About
      Troubleshooting
      Add Server Configuration
      .
    2. Add the following:
      Key
      Value
      docker.run.internal.asuser.ignore
      A CSV list of container names. The Cortex XSOAR server matches the container names according to the prefixes of the key values.
      For example,
      docker.run.internal.asuser.ignore=demisto/python3:,demisto/python:
      The Cortex XSOAR server matches the key values for the following containers:
      demisto/python:1.3-alpine
      demisto/python:2.7.16.373
      demisto/python3:3.7.3.928
      demisto/python3:3.7.4.977
      The
      :
      character should be used to limit the match to the full name of the container. For example, using the
      :
      character does not find
      demisto/python-deb:2.7.16.373
      .

Recommended For You