Home
EN
Location
Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base
MENU
Home
Cortex
Cortex XSOAR
Cortex XSOAR Administrator’s Guide
Docker
Docker Hardening Guide
Run Docker with Non-Root Internal Users
Document:
Cortex XSOAR Administrator’s Guide
Run Docker with Non-Root Internal Users
Download PDF
Last Updated:
Thu Apr 08 07:28:32 PDT 2021
Current Version:
6.0
Version 6.1
Version 6.0
Version 5.5
Previous
Next
Run Docker with Non-Root Internal Users
Follow these instructions to run Docker with non-root internal users and for containers that do not support non-root internal users.
For additional security isolation, we recommend running Docker containers as non-root internal users. This follows the principle of least privilege.
Configure Cortex XSOAR Server to execute containers as non-root internal users.
Select
Settings
About
Troubleshooting
Add Server Configuration
.
Add the following:
Key
Value
docker.run.internal.asuser
true
Click
Save
.
Reset the running containers using one of the following methods:
From the Cortex XSOAR CLI, type
/reset_containters
command.
Alternatively, restart the Cortex XSOAR Server.
From the Cortex XSOAR CLI, type the following command to check if the container is running as a non-root internal user:
!py script="import os;print(os.getuid())"
If the server configuration was added successfully and the container is running with a non-root internal user, the output is a non-zero UID.
If the server configuration was not configured correctly and the container is running with an internal root user, the output is
0
.
For containers that do not support non-root internal users.
Select
Settings
About
Troubleshooting
Add Server Configuration
.
Add the following:
Key
Value
docker.run.internal.asuser.ignore
A CSV list of container names. The Cortex XSOAR server matches the container names according to the prefixes of the key values.
For example,
docker.run.internal.asuser.ignore=demisto/python3:,demisto/python:
The Cortex XSOAR server matches the key values for the following containers:
demisto/python:1.3-alpine
demisto/python:2.7.16.373
demisto/python3:3.7.3.928
demisto/python3:3.7.4.977
The
:
character should be used to limit the match to the full name of the container. For example, using the
:
character does not find
demisto/python-deb:2.7.16.373
.
Previous
Next
Recommended For You
Recommended Videos
Recommended videos not found.