Deploy Cyberwatch with swarm on a hardened system

On hardened systems, several problems can stop Cyberwatch from correctly working, depending on the system configurations.

This documentation lists the usual hardening methods susceptible to interfere with Docker and how to disable or adapt these configurations when necessary.

SELinux

Having SELinux enabled can cause problems to Docker and its containers.

It is possible to disable SELinux by adding to the /etc/selinux/config file the following line:

SELINUX=disabled

If SELinux must be enabled, it is possible to configure it without impacting Docker using our documentation: configure SELinux with Swarm

Sysctl configurations

Having the net.ipv4.ip_forward parameter disabled can stop Docker from correctly forwarding network communications with the containers. In this case, enable the net.ipv4.ip_forward parameter by modifying the /etc/sysctl.conf file:

net.ipv4.ip_forward = 1

Execution on /var/lib/docker/

The /var/lib/docker/ directory, which is Docker’s default directory, must have the exec option enabled.

To allow execution on this directory, use the command:

mount -o remount,exec

Kernel modules

The following kernel modules must be enabled through modprobe:

  • overlay
  • br_netfilter
  • vxlan

This can be achieved using the following commands:

cat <<EOL >> /etc/sysconfig/modules/docker_prerequisites.modules
#!/bin/bash
modprobe overlay
modprobe br_netfilter
modprobe vxlan

exit 0
EOL

chmod +x /etc/sysconfig/modules/docker_prerequisites.modules

Above commands will create a /etc/sysconfig/modules/docker_prerequisites.modules file with the necessary parameters and add execution rights to this file.

Firewalld

The firewalld service can in some cases also be problematic for the communication between containers, or between the containers and the Internet.

Stopping and disabling the firewalld service is therefore recommended:

systemctl stop firewalld
systemctl disable firewalld

System updates

We recommend that the system hosting the Cyberwatch application have the latest available system and applications updates.

This specifically applies to hardened systems, since they may not have been updated for a long time.

Verify your configuration

Some resources can help verify the compatibility between the kernel and its configuration with containers execution: