Docker Hardening Guide
Use the Docker Hardening Guide to configure the Cortex
XSOAR settings when running Docker containers.
This guide describes the recommended
Cortex XSOAR settings for securely running Docker containers.
Use Latest Docker Version
To securely run Docker containers, it is recommended to use the
latest Docker version.
Run Docker with a Non-Root Internal User
Running Docker containers with non-root internal users provides
added security isolation and follows the principle of least privilege.
For more information, see Run Docker with Non-Root Internal Users.
To securely run Docker containers, it is recommended to use the
latest Docker version.
Limit Container Resources
To protect the host from a container using too many system resources
(either because of a software bug or a DoS attack), limit the resources
available for each container. In Cortex XSOAR, some of these settings
are set using the advanced parameter:
python.pass.extra.keys
.
This key receives as a parameter full docker run
options,
separated with the ##
string.Limit Available Memory
It is recommended limiting available memory for each container
to 1 GB.
On RHEL and CentOS 7.x distributions with Docker CE or
EE with version 17.06 and later, ensure that your kernel fully supports
kmem accounting or that it has been compiled to disable kmem accounting.
The kmem accounting feature in Red Hat’s Linux kernel has been reported
to contain bugs, which cause kernel deadlock or slow kernel memory
leaks. This is caused by a patch introduced in runc, which turns
on kmem accounting automatically when user memory limitation is configured,
even if not requested by the Docker CLI setting
--kernel-memory
(see: opencontainers/runc#1350). Users
using Red Hat's distribution of Docker based on version 1.13.1 are
not affected as this distribution of Docker does not include the runc
patch. For more information see Red Hat’s Docker distribution
documentation.If you do not want to apply Docker memory
limitations, due to the note above, you should explicitly set the
advanced parameter:
limit.docker.memory
to false
.Swap Limit Support
: Not all Linux distributions have the
swap limit support enabled by default.- Red Hat and CentOS distributions usually have swap limit support enabled by default.
- Debian and Ubuntu distributions usually have swap limit support disabled by default.
To check if your system supports swap limit capabilities, after
logging into the Server machine console (ssh), run the following
command:
sudo docker run --rm -it --memory=1g demisto/python:1.3-alpine true
command.
If you see the WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
message
in the output (the message may vary between Docker versions), you
have two options:- Configureswap limit capabilitiesby following the Docker documentation.
If
swap limit capabilities
is enabled, Configure the Memory Limitation.To test the memory, see Test the Memory Limit.
Limit Available CPU
It is recommended limiting each container to 1 CPU. See Limit Available CPU.
Limit PIDs
It is recommend limiting each container to 256 PIDs. This value
is sufficient for using threads and sub-processes, and protects
against a fork bomb. You need to configure the PIDs
limit, by setting the
python.pass.extra.keys
advanced
parameter. If you have this key already set up with a value append
to it the config after a ## separator.Limit Open File Descriptors
It is recommend using a soft/hard limit of 1024/8192 filed descriptors
for each container process. You need to Configure the Open File Descriptors Limit. If you have
this key already setup with a value, append to it the config after
a ## separator.
Check Docker Hardening Configuration
To test that the hardening configuration has been applied correctly
use the
DockerHardeningCheck
automation.
For example:Successful output:
Unsuccessful output:
Working with engines
For each engine to which you want to apply Docker hardening,
you need to edit the engine’s
configuration to include the Docker hardening advanced parameters.
For example, you would add the following snippet to the configuration
JSON file:
{"docker.run.internal.asuser": true,"limit.docker.cpu": true,"limit.docker.memory": true,"python.pass.extra.keys": "--pids-limit=256##--ulimit=nofile=1024:8192"}
To verify that memory and CPU are being limited, run the
docker stats
command
on the engine machine.Docker Images Specific Settings
You can apply more specific fine tuned settings to Docker images,
according to the Docker image name or the Docker image name including
the image tag. To apply settings to a Docker image name, use the
advanced server configuation
python.pass.extra.keys.
.
For example, <image_name>
python.pass.extra.keys.demisto/dl
.
To apply settings to a Docker image name including the image tag,
use python.pass.extra.keys.
.
For example, <image_name>
:<image_tag>
python.pass.extra.keys.demisto/dl:1.4
.For example, to set the Docker images demisto/dl (all tags) to
use a higher max memory value of 2g and to remain with the recommended
PIDs and ulimit, use the following:
Key | Value |
|---|---|
python.pass.extra.keys.demisto/dl | --memory=2g##--ulimit=nofile=1024:8192##--pids-limit=256 |
If you apply Docker image specific settings, they will be used
instead of the general python.pass.extra.keys setting. This will
also override the general memory and CPU settings as needed.
To apply these settings to engines, edit each engine’s
configuration file to include the advanced parameters.
