Yes! You can install the Halo agent with RUN instructions in a Dockerfile, just like installing any other application when building a Docker image. Each Halo agent protects the contents of the individual container into which it has been installed. You can also install a Halo agent on the host machine outside of any container, where it runs in the same environment as the Docker Engine.
Most Halo modules and services are supported in the Docker environment—including Configuration Security Monitoring, File Integrity Monitoring, Software Vulnerability Assessment, Log-Based Intrusion Detection, and event logging and alerting.
There are a few caveats and considerations to keep in mind if you are running Halo in a Dockerized environment:
- The Docker Engine by default modifies the host's iptables FORWARD chain. If a Halo agent is also installed on the host and has an assigned Halo firewall policy, Halo inserts a reject rule in the FORWARD chain, creating a conflict. However, Halo in audit mode does not make any changes to the host firewall, so Halo fully supports the Docker Engine (for all Halo modules available in audit mode—which is all but Workload Firewall Management and Server Account Management).
Alternatively you can run Halo in full-functionality mode, and simply not enable Workload Firewall Management.
- Most Docker images do not include the iptables package as a dependency, so a container generally has no iptables firewall. Therefore, for container protection the recommendation is the same—run Halo in audit mode or disable Workload Firewall Management.
- In a Docker container, the Halo agent needs to run in the foreground. To run Halo in the foreground, use the CMD instruction with these options:
Note: Many of the Dockerfiles in the Docker Hub repository illustrate use of the CMD instruction.
- Halo requires the following packages to be installed as part of the Docker image using a RUN instruction: curl, lsof, sudo.
- If a Halo agent is installed in a Docker environment (either in audit mode or with Halo firewalls disabled), modifications may be necessary to facilitate the connection between the Halo agent and the Halo analytics engine. The Docker Engine and any containers running the Halo agent must be able to resolve
grid.cloudpassage.comand connect to it on TCP/443. The connection can be proxied, in which case the agent must be able to connect to the proxy on TCP/443. Any firewalls or security groups in the path may need to be adjusted.