03-03-2022 10:15 AM
Relatively new admin to XSOAR; previous admin has left.
Just completed upgrade to latest 6.5 version.
Could anyone help me understand the following:
I have a service account that seems to run xsoar demisto server containers; used ps-ef|grep demisto and return a number of containers; "demisto" is the user below.
demisto 32710 3808 0 10:56 ? 00:00:02 docker run -i --rm --name demistoserver_pyexec-63f590f3-2b4f-4182-8894-
Why is it that docker hardening script check fails with the following:
| Non-root User | Failed: Running as root with uid: 0. It seems that you haven't set the docker container to run with a non-root internal user. |
Thanks,
Boyd
03-03-2022 02:55 PM
Hi @jboyd98,
To set Docker containers to run as non-root internal users, please set the server configuration docker.run.internal.asuser to true, as per this document: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/docker/docker-hardening.... After setting that server config and running /reset_containers, all docker hardening checks should pass.
You are seeing the user demisto in your ps -ef | grep demisto output because the demisto user kicks off the docker process. If you have docker.run.internal.asuser set to true, you will see the arg --user <UID> is passed to the docker process. Otherwise, the --user arg does not get passed, so the docker container runs as root, the default behavior.
XSOAR launches a docker container by running a python loop script _script_docker_python_loop.py, which you will see at the end of the line in the ps output. The user that _script_docker_python_loop.py runs as will vary depending on the docker.run.internal.asuser server config value. You can verify this by running: ps -ef | grep _script_docker_python_loop.py
The loop script is explained in more detail here: https://xsoar.pan.dev/docs/integrations/docker#advanced-server---container-communication
Hope that helps!
03-03-2022 02:55 PM
Hi @jboyd98,
To set Docker containers to run as non-root internal users, please set the server configuration docker.run.internal.asuser to true, as per this document: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/docker/docker-hardening.... After setting that server config and running /reset_containers, all docker hardening checks should pass.
You are seeing the user demisto in your ps -ef | grep demisto output because the demisto user kicks off the docker process. If you have docker.run.internal.asuser set to true, you will see the arg --user <UID> is passed to the docker process. Otherwise, the --user arg does not get passed, so the docker container runs as root, the default behavior.
XSOAR launches a docker container by running a python loop script _script_docker_python_loop.py, which you will see at the end of the line in the ps output. The user that _script_docker_python_loop.py runs as will vary depending on the docker.run.internal.asuser server config value. You can verify this by running: ps -ef | grep _script_docker_python_loop.py
The loop script is explained in more detail here: https://xsoar.pan.dev/docs/integrations/docker#advanced-server---container-communication
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
