topic Re: Docker running as non-root, but hardening script fails? in Cortex XSOAR Discussions https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470340#M624 <P>Thanks will review -&nbsp;</P> Thu, 03 Mar 2022 23:14:44 GMT jboyd98 2022-03-03T23:14:44Z Docker running as non-root, but hardening script fails? https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470261#M616 <P>Relatively new admin to XSOAR; previous admin has left.</P><P>Just completed upgrade to latest 6.5 version.</P><P><BR />Could anyone help me understand the following:</P><P><BR />I have a service account that seems to run xsoar demisto server containers; used ps-ef|grep demisto and return a number of containers; "demisto" is the user below.</P><P class=""><EM><STRONG><SPAN class="">demisto</SPAN></STRONG><SPAN class=""><SPAN class="">&nbsp; </SPAN>32710<SPAN class="">&nbsp; </SPAN>3808<SPAN class="">&nbsp; </SPAN>0 10:56 ?<SPAN class="">&nbsp; &nbsp; &nbsp; &nbsp; </SPAN>00:00:02 docker run -i --rm --name </SPAN><SPAN class="">demisto</SPAN></EM><SPAN class=""><EM>server_pyexec-63f590f3-2b4f-4182-8894-</EM><BR /><BR />Why is it that docker hardening script check fails with the following:<BR /></SPAN></P><TABLE><TBODY><TR><TD><SPAN class="">Non-root User</SPAN></TD><TD><SPAN class="">Failed: Running as root with uid: 0. It seems that you haven't set the docker container to run with a non-root internal user.</SPAN></TD></TR></TBODY></TABLE><P class=""><SPAN class="">&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jboyd98_0-1646331218200.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39443i0416D23ABD0D0E88/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jboyd98_0-1646331218200.png" alt="jboyd98_0-1646331218200.png" /></span></P><P>&nbsp;</P><P class="">&nbsp;</P><P class="">Thanks,</P><P class=""><BR />Boyd</P> Thu, 03 Mar 2022 18:15:11 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470261#M616 jboyd98 2022-03-03T18:15:11Z Re: Docker running as non-root, but hardening script fails? https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470333#M623 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208132">@jboyd98</a>,&nbsp;</P><P>&nbsp;</P><P>To set Docker containers to run as non-root internal users, please set the server configuration <STRONG>docker.run.internal.asuser</STRONG> to&nbsp;<STRONG>true</STRONG>, as per this document:&nbsp;<A href="https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/docker/docker-hardening-guide/run-docker-with-non-root-internal-users.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/docker/docker-hardening-guide/run-docker-with-non-root-internal-users.html</A>. After setting that server config and running&nbsp;<STRONG>/reset_containers</STRONG>, all docker hardening checks should pass.</P><P>&nbsp;</P><P><SPAN>You are seeing the user <STRONG>demisto&nbsp;</STRONG>in your&nbsp;<STRONG>ps -ef | grep demisto</STRONG> output because the&nbsp;<STRONG>demisto&nbsp;</STRONG>user kicks off the docker process. If you have&nbsp;<STRONG>docker.run.internal.asuser</STRONG>&nbsp;set to&nbsp;<STRONG>true</STRONG>, you will see the arg&nbsp;</SPAN><SPAN class=""><STRONG>--user &lt;UID&gt;</STRONG> is passed to the docker process. Otherwise, the&nbsp;<STRONG>--user&nbsp;</STRONG>arg does not get passed, so the docker container runs as root, the default behavior.&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN class="">XSOAR launches a docker container by running a python loop script&nbsp;</SPAN><SPAN class=""><STRONG>_script_docker_python_loop.py</STRONG>, which you will see at the end of the line in the&nbsp;<STRONG>ps&nbsp;</STRONG>output. The user that&nbsp;<STRONG>_script_docker_python_loop.py</STRONG>&nbsp;runs as will vary depending on the&nbsp;<SPAN><STRONG>docker.run.internal.asuser</STRONG></SPAN> server config value. You can verify this by running:&nbsp;&nbsp;</SPAN><STRONG><SPAN class="">ps -ef | grep _script_docker_python_loop.py<BR /></SPAN></STRONG></P><P><SPAN class="">&nbsp;The loop script is explained in more detail here:&nbsp;<A href="https://xsoar.pan.dev/docs/integrations/docker#advanced-server---container-communication" target="_blank" rel="noopener">https://xsoar.pan.dev/docs/integrations/docker#advanced-server---container-communication</A></SPAN></P><P>&nbsp;</P><P><SPAN class="">Hope that helps!</SPAN></P> Thu, 03 Mar 2022 22:55:15 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470333#M623 asawyer 2022-03-03T22:55:15Z Re: Docker running as non-root, but hardening script fails? https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470340#M624 <P>Thanks will review -&nbsp;</P> Thu, 03 Mar 2022 23:14:44 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/docker-running-as-non-root-but-hardening-script-fails/m-p/470340#M624 jboyd98 2022-03-03T23:14:44Z