Docker running as non-root, but hardening script fails?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Docker running as non-root, but hardening script fails?

L2 Linker

Relatively new admin to XSOAR; previous admin has left.

Just completed upgrade to latest 6.5 version.


Could anyone help me understand the following:


I have a service account that seems to run xsoar demisto server containers; used ps-ef|grep demisto and return a number of containers; "demisto" is the user below.

demisto  32710  3808  0 10:56 ?        00:00:02 docker run -i --rm --name demistoserver_pyexec-63f590f3-2b4f-4182-8894-

Why is it that docker hardening script check fails with the following:

Non-root UserFailed: Running as root with uid: 0. It seems that you haven't set the docker container to run with a non-root internal user.

 

jboyd98_0-1646331218200.png

 

 

Thanks,


Boyd

1 ACCEPTED SOLUTION

Accepted Solutions

L2 Linker

Hi @jboyd98

 

To set Docker containers to run as non-root internal users, please set the server configuration docker.run.internal.asuser to true, as per this document: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/docker/docker-hardening.... After setting that server config and running /reset_containers, all docker hardening checks should pass.

 

You are seeing the user demisto in your ps -ef | grep demisto output because the demisto user kicks off the docker process. If you have docker.run.internal.asuser set to true, you will see the arg --user <UID> is passed to the docker process. Otherwise, the --user arg does not get passed, so the docker container runs as root, the default behavior. 

 

XSOAR launches a docker container by running a python loop script _script_docker_python_loop.py, which you will see at the end of the line in the ps output. The user that _script_docker_python_loop.py runs as will vary depending on the docker.run.internal.asuser server config value. You can verify this by running:  ps -ef | grep _script_docker_python_loop.py

 The loop script is explained in more detail here: https://xsoar.pan.dev/docs/integrations/docker#advanced-server---container-communication

 

Hope that helps!

View solution in original post

2 REPLIES 2

L2 Linker

Hi @jboyd98

 

To set Docker containers to run as non-root internal users, please set the server configuration docker.run.internal.asuser to true, as per this document: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/docker/docker-hardening.... After setting that server config and running /reset_containers, all docker hardening checks should pass.

 

You are seeing the user demisto in your ps -ef | grep demisto output because the demisto user kicks off the docker process. If you have docker.run.internal.asuser set to true, you will see the arg --user <UID> is passed to the docker process. Otherwise, the --user arg does not get passed, so the docker container runs as root, the default behavior. 

 

XSOAR launches a docker container by running a python loop script _script_docker_python_loop.py, which you will see at the end of the line in the ps output. The user that _script_docker_python_loop.py runs as will vary depending on the docker.run.internal.asuser server config value. You can verify this by running:  ps -ef | grep _script_docker_python_loop.py

 The loop script is explained in more detail here: https://xsoar.pan.dev/docs/integrations/docker#advanced-server---container-communication

 

Hope that helps!

L2 Linker

Thanks will review - 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!