DockerHardeningCheck
Common Scripts Pack.#
This Script is part of theChecks if the Docker container running this script has been hardened according to the recommended settings located in the Docker hardening guide (Cortex XSOAR 6.13) or Docker hardening guide (Cortex XSOAR 8 Cloud) or Docker hardening guide (Cortex XSOAR 8.7 On-prem).
#
Script DataName | Description |
---|---|
Script Type | python3 |
Tags | Utility |
Cortex XSOAR Version | 5.0.0+ |
#
InputsArgument Name | Description |
---|---|
memory | The amount of memory to check. This is specified in bytes or append MB/GB for Mega/Giga bytes. The default is 1 GB. |
memory_check | The memory check type to perform: cgroup - check memory cgroup configuration, allocate - try allocating actual memory and verify that the allocation fails. Note the allocate test on some configurations may cause the container to be killed by the linux memory manager and the whole test will then time out. |
pids | The maximum number of PIDs to check. |
fds_soft | The soft file descriptor limit to check. |
fds_hard | The hard file descriptor limit to check. |
cpus | The number of CPUs limit to check. |
network_check | The network check to perform. cloud_metadata - check that access is blocked to cloud metadata server, host_machine - check that access is blocked to the host machine on the default gateway IP, all - perform all network tests. |
#
OutputsThere are no outputs for this script.
#
Notes- Network Host Check: The network host check only checks available access on the default gateway's IP using an https request to port 443. There still may be access available to the host network either on a different IP or port and this check will not detect it.