Docker Hardening Guide

Use the Docker Hardening Guide to configure the Cortex XSOAR settings when running Docker containers.
This guide describes the recommended Cortex XSOAR settings for securely running Docker containers.
Run Docker with a Non-Root Internal User
Running Docker containers with non-root internal users provides added security isolation and follows the principle of least privilege. For more information, see Run Docker with Non-Root Internal Users.
Use Latest Docker Version
To securely run Docker containers, it is recommended to use the latest Docker version.
Limit Container Resources
To protect the host from a container using too many system resources (either because of a software bug or a DoS attack), limit the resources available for each container. In Cortex XSOAR, some of these settings are set using the advanced parameter:
python.pass.extra.keys
. This key receives as a parameter full
docker run
options, separated with the
##
string.
Limit Available Memory
It is recommended limiting available memory for each container to 1 GB.
On RHEL and CentOS 7.x distributions with Docker CE or EE with version 17.06 and later, ensure that your kernel fully supports kmem accounting or that it has been compiled to disable kmem accounting. The kmem accounting feature in Red Hat’s Linux kernel has been reported to contain bugs, which cause kernel deadlock or slow kernel memory leaks. This is caused by a patch introduced in runc, which turns on kmem accounting automatically when user memory limitation is configured, even if not requested by the Docker CLI setting
--kernel-memory
(see: opencontainers/runc#1350). Users using Red Hat's distribution of Docker based on version 1.13.1 are not affected as this distribution of Docker does not include the runc patch. For more information see Red Hat’s Docker distribution documentation.
If you do not want to apply Docker memory limitations, due to the note above, you should explicitly set the advanced parameter:
limit.docker.memory
to
false
.
Swap Limit Support
: Not all Linux distributions have the swap limit support enabled by default.
  • Red Hat and CentOS distributions usually have swap limit support enabled by default.
  • Debian and Ubuntu distributions usually have swap limit support disabled by default.
To check if your system supports swap limit capabilities, after logging into the Server machine console (ssh), run the following command:
sudo docker run --rm -it --memory=1g demisto/python:1.3-alpine true
command. If you see the
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
message in the output (the message may vary between Docker versions), you have two options:
If
swap limit capabilities
is enabled, Configure the Memory Limitation.
To test the memory, see Test the Memory Limit.
Limit Available CPU
It is recommended limiting each container to 1 CPU. See Limit Available CPU.
Limit PIDs
It is recommend limiting each container to 256 PIDs. This value is sufficient for using threads and sub-processes, and protects against a fork bomb. You need to configure the PIDs limit, by setting the
python.pass.extra.keys
advanced parameter. If you have this key already set up with a value append to it the config after a ## separator.
Limit Open File Descriptors
It is recommend using a soft/hard limit of 1024/8192 filed descriptors for each container process. You need to Configure the Open File Descriptors Limit. If you have this key already setup with a value, append to it the config after a ## separator.
Check Docker Hardening Configuration
To test that the hardening configuration has been applied correctly use the
DockerHardeningCheck
automation. For example:
Successful output:
docker-hard-config.png
Unsuccessful output:
docker-hard-unsuccess.png
Working with engines
For each engine to which you want to apply Docker hardening, you need to edit the engine’s configuration to include the Docker hardening advanced parameters. For example, you would add the following snippet to the configuration JSON file:
{"docker.run.internal.asuser": true,"limit.docker.cpu": true,"limit.docker.memory": true,"python.pass.extra.keys": "--pids-limit=256##--ulimit=nofile=1024:8192"}

Recommended For You