XDR Podman Quadlets for User Session: Enhanced Container Security#

This guide demonstrates how to deploy XDR (Extended Detection and Response) agents as Podman Quadlets in user sessions, providing rootless container-based security monitoring with seamless systemd integration. This approach enhances security by running XDR agents without root privileges while maintaining full monitoring capabilities.

Overview#

Podman Quadlets represent a modern approach to container management, combining the security benefits of rootless containers with the reliability of systemd service management. When applied to XDR deployment, this creates a robust security monitoring solution that:

Runs without root privileges (enhanced security)
Integrates with systemd for automatic startup and management
Provides isolated execution environments
Enables easy updates and maintenance
Scales across multiple user sessions

Prerequisites#

System Requirements#

Operating System: Linux with systemd 250+ (RHEL 9, Ubuntu 22.04, Fedora 36+)
Podman: Version 4.4+ with quadlet support
User Account: Regular user account (non-root)
XDR Agent: Container image for your XDR solution

Initial Setup#

1
# Verify Podman version
2
podman --version
3

4
# Check systemd user instance
5
systemctl --user status
6

7
# Enable lingering for user (allows services to run without login)
8
sudo loginctl enable-linger $USER
9

10
# Create quadlet directory structure
11
mkdir -p ~/.config/containers/systemd/

Understanding Quadlets#

Quadlets are systemd unit files that define how Podman containers should run. They’re automatically converted to proper systemd services by the podman-systemd-generator.

Key Benefits#

Declarative Configuration: Define containers as systemd units
Automatic Management: Systemd handles lifecycle, restarts, and dependencies
User Session Support: Run containers in user context without root
Native Integration: Leverage systemd features like timers and dependencies

XDR Agent Quadlet Configuration#

Basic XDR Container Quadlet#

Create ~/.config/containers/systemd/xdr-agent.container:

1
[Unit]
2
Description=XDR Security Agent
3
Documentation=https://docs.example.com/xdr-agent
4
Wants=network-online.target
5
After=network-online.target
6
StartLimitIntervalSec=60
7
StartLimitBurst=3
8

9
[Container]
10
# Container image
11
Image=registry.example.com/security/xdr-agent:latest
12
ContainerName=xdr-agent
13

14
# Security options
15
SecurityLabelDisable=false
16
ReadOnly=true
17
NoNewPrivileges=true
18

19
# Resource limits
20
CpuLimit=2
21
MemoryLimit=2G
22
MemoryReservation=1G
23

24
# Environment variables
25
Environment="XDR_SERVER=xdr.example.com"
26
Environment="XDR_PORT=8443"
27
Environment="LOG_LEVEL=info"
28
EnvironmentFile=/home/%u/.config/xdr/agent.env
29

30
# Volume mounts
31
Volume=/home/%u/.config/xdr/certs:/etc/xdr/certs:ro,Z
32
Volume=/var/log/journal:/var/log/journal:ro
33
Volume=/proc:/host/proc:ro
34
Volume=/sys:/host/sys:ro
35
Volume=/etc/os-release:/host/etc/os-release:ro
36

37
# Tmpfs for temporary data
38
Tmpfs=/tmp:size=512M,mode=1777
39
Tmpfs=/var/tmp:size=512M,mode=1777
40

41
# Network configuration
42
Network=host
43
Hostname=xdr-%H
44

45
# Health check
46
HealthCmd="/usr/bin/xdr-agent healthcheck"
47
HealthInterval=30s
48
HealthRetries=3
49
HealthTimeout=10s
50
HealthStartPeriod=60s
51

52
# Labels for management
53
Label="io.containers.autoupdate=registry"
54
Label="com.example.component=security"
55
Label="com.example.managed-by=quadlet"
56

57
[Service]
58
# Restart policy
59
Restart=always
60
RestartSec=30
61

62
# Systemd integration
63
Type=notify
64
NotifyAccess=all
65

66
# Security hardening
67
PrivateTmp=yes
68
ProtectSystem=strict
69
ProtectHome=read-only
70
ProtectKernelTunables=yes
71
ProtectKernelModules=yes
72
ProtectControlGroups=yes
73
RestrictRealtime=yes
74
RestrictSUIDSGID=yes
75
LockPersonality=yes
76

77
# Timeouts
78
TimeoutStartSec=120
79
TimeoutStopSec=30
80

81
[Install]
82
WantedBy=default.target

Advanced XDR Configuration with Secrets#

Create ~/.config/containers/systemd/xdr-agent-advanced.container:

1
[Unit]
2
Description=Advanced XDR Security Agent with Secret Management
3
Documentation=https://docs.example.com/xdr-agent
4
Requires=podman-secret-xdr-token.service
5
After=podman-secret-xdr-token.service
6

7
[Container]
8
Image=registry.example.com/security/xdr-agent:latest
9
ContainerName=xdr-agent-advanced
10

11
# Pull policy
12
Pull=newer
13
PullRetryCount=3
14
PullRetryDelay=10s
15

16
# User and group mapping
17
UserNS=keep-id
18
User=1000
19
Group=1000
20

21
# Capabilities (minimal required set)
22
DropCapability=all
23
AddCapability=CAP_SYS_PTRACE,CAP_DAC_READ_SEARCH,CAP_NET_RAW
24

25
# Secret management
26
Secret=xdr-token,type=env,target=XDR_AUTH_TOKEN
27
Secret=xdr-cert,type=mount,target=/etc/xdr/cert.pem
28
Secret=xdr-key,type=mount,target=/etc/xdr/key.pem,mode=0600
29

30
# Advanced volumes with specific options
31
Volume=/home/%u/.config/xdr/config.yaml:/etc/xdr/config.yaml:ro,Z
32
Volume=xdr-data:/var/lib/xdr:Z
33
Volume=/run/user/%U/podman/podman.sock:/var/run/docker.sock:ro
34

35
# Environment with interpolation
36
Environment="HOSTNAME=%H"
37
Environment="XDR_NODE_ID=%H-%u"
38
Environment="XDR_CLUSTER_NAME=production"
39

40
# Entrypoint override
41
Entrypoint=/usr/bin/xdr-agent
42
Cmd="--config=/etc/xdr/config.yaml" "--node-id=$XDR_NODE_ID"
43

44
# Logging configuration
45
LogDriver=journald
46
LogOpt="tag=xdr-agent"
47
LogOpt="labels=com.example.component"
48

49
[Service]
50
Type=notify
51
Restart=on-failure
52
RestartSec=30
53
RestartPreventExitStatus=0 2
54

55
# Dependency ordering
56
RequiresMountsFor=/home/%u/.config/xdr
57

58
# Resource accounting
59
CPUAccounting=yes
60
MemoryAccounting=yes
61
TasksAccounting=yes
62
IOAccounting=yes
63

64
# Watchdog
65
WatchdogSec=60
66

67
[Install]
68
WantedBy=default.target

Supporting Services#

Secret Creation Service#

Create ~/.config/containers/systemd/podman-secret-xdr-token.service:

1
[Unit]
2
Description=Create Podman Secret for XDR Token
3
ConditionPathExists=!/run/user/%U/containers/secrets/xdr-token
4
Before=xdr-agent-advanced.service
5

6
[Service]
7
Type=oneshot
8
RemainAfterExit=yes
9
ExecStart=/bin/bash -c 'podman secret create xdr-token /home/%u/.config/xdr/token'
10
ExecStop=podman secret rm xdr-token
11

12
[Install]
13
WantedBy=default.target

Auto-Update Timer#

Create ~/.config/containers/systemd/podman-auto-update-xdr.timer:

1
[Unit]
2
Description=Auto-update XDR containers
3
Documentation=man:podman-auto-update(1)
4

5
[Timer]
6
OnCalendar=daily
7
RandomizedDelaySec=900
8
Persistent=true
9

10
[Install]
11
WantedBy=timers.target

Create ~/.config/containers/systemd/podman-auto-update-xdr.service:

1
[Unit]
2
Description=Auto-update XDR containers
3
Documentation=man:podman-auto-update(1)
4
Wants=network-online.target
5
After=network-online.target
6

7
[Service]
8
Type=oneshot
9
ExecStart=/usr/bin/podman auto-update --label "io.containers.autoupdate=registry"
10
ExecStartPost=/usr/bin/systemctl --user try-restart xdr-agent.service
11

12
[Install]
13
WantedBy=default.target

Configuration Files#

XDR Agent Configuration#

Create ~/.config/xdr/config.yaml:

1
# XDR Agent Configuration
2
version: 2
3

4
agent:
5
  id: ${XDR_NODE_ID}
6
  name: ${HOSTNAME}-xdr
7
  type: endpoint
8

9
server:
10
  url: https://${XDR_SERVER}:${XDR_PORT}
11
  tls:
12
    cert: /etc/xdr/cert.pem
13
    key: /etc/xdr/key.pem
14
    ca: /etc/xdr/ca.pem
15
    verify: true
16

17
collectors:
18
  system:
19
    enabled: true
20
    interval: 60s
21
    metrics:
22
      - cpu
23
      - memory
24
      - disk
25
      - network
26

27
  process:
28
    enabled: true
29
    interval: 30s
30
    include_cmdline: true
31

32
  file_integrity:
33
    enabled: true
34
    paths:
35
      - /etc
36
      - /usr/bin
37
      - /usr/sbin
38
      - /home/%u/.ssh
39
    exclude:
40
      - "*.log"
41
      - "*.tmp"
42

43
  network:
44
    enabled: true
45
    capture_packets: false
46
    connection_tracking: true
47

48
  container:
49
    enabled: true
50
    runtime: podman
51
    socket: /var/run/docker.sock
52

53
logging:
54
  level: ${LOG_LEVEL}
55
  format: json
56
  outputs:
57
    - type: file
58
      path: /var/lib/xdr/agent.log
59
      rotate:
60
        max_size: 100M
61
        max_age: 7d
62
        max_backups: 5
63
    - type: syslog
64
      facility: local0
65
      tag: xdr-agent
66

67
response:
68
  enabled: true
69
  actions:
70
    - quarantine
71
    - kill_process
72
    - block_network
73
  require_approval: true
74

75
performance:
76
  max_cpu_percent: 20
77
  max_memory_mb: 2048
78
  rate_limit:
79
    events_per_second: 1000
80
    burst: 5000

Environment File#

Create ~/.config/xdr/agent.env:

1
# XDR Agent Environment Variables
2
# This file should be protected with appropriate permissions
3

4
# Server Configuration
5
XDR_SERVER=xdr.example.com
6
XDR_PORT=8443
7

8
# Agent Settings
9
XDR_DEPLOYMENT_TYPE=production
10
XDR_REGION=us-east-1
11
XDR_TENANT_ID=tenant-123
12

13
# Features
14
XDR_FEATURE_EDR=true
15
XDR_FEATURE_DLP=false
16
XDR_FEATURE_COMPLIANCE=true
17

18
# Performance Tuning
19
XDR_WORKER_THREADS=4
20
XDR_BUFFER_SIZE=65536
21
XDR_BATCH_SIZE=100
22

23
# Logging
24
LOG_LEVEL=info
25
LOG_FORMAT=json

Deployment Process#

Initial Deployment#

1
#!/bin/bash
2
# deploy-xdr.sh - XDR Deployment Script
3

4
set -euo pipefail
5

6
XDR_USER="${USER}"
7
XDR_HOME="/home/${XDR_USER}"
8
XDR_CONFIG="${XDR_HOME}/.config/xdr"
9

10
echo "Deploying XDR Agent for user: ${XDR_USER}"
11

12
# Create directories
13
echo "Creating configuration directories..."
14
mkdir -p "${XDR_CONFIG}/certs"
15
mkdir -p "${XDR_HOME}/.config/containers/systemd"
16

17
# Set permissions
18
chmod 700 "${XDR_CONFIG}"
19
chmod 700 "${XDR_CONFIG}/certs"
20

21
# Generate or copy certificates
22
echo "Setting up certificates..."
23
# Copy your certificates to ${XDR_CONFIG}/certs/
24
# Ensure proper permissions (600 for keys, 644 for certs)
25

26
# Create secrets
27
echo "Creating secrets..."
28
if [ -f "${XDR_CONFIG}/token" ]; then
29
    podman secret create xdr-token "${XDR_CONFIG}/token" || true
30
fi
31

32
# Reload systemd
33
echo "Reloading systemd configuration..."
34
systemctl --user daemon-reload
35

36
# Enable and start services
37
echo "Enabling XDR services..."
38
systemctl --user enable --now podman-secret-xdr-token.service
39
systemctl --user enable --now xdr-agent.service
40
systemctl --user enable --now podman-auto-update-xdr.timer
41

42
# Verify deployment
43
echo "Verifying deployment..."
44
systemctl --user status xdr-agent.service --no-pager
45
podman ps --filter "name=xdr-agent"
46

47
echo "XDR Agent deployment complete!"

Health Monitoring Script#

Create ~/.local/bin/xdr-health-check.sh:

1
#!/bin/bash
2
# XDR Health Monitoring Script
3

4
set -euo pipefail
5

6
# Colors for output
7
RED='\033[0;31m'
8
GREEN='\033[0;32m'
9
YELLOW='\033[1;33m'
10
NC='\033[0m' # No Color
11

12
echo "XDR Agent Health Check"
13
echo "====================="
14

15
# Check service status
16
echo -n "Service Status: "
17
if systemctl --user is-active --quiet xdr-agent.service; then
18
    echo -e "${GREEN}ACTIVE${NC}"
19
else
20
    echo -e "${RED}INACTIVE${NC}"
21
    exit 1
22
fi
23

24
# Check container status
25
echo -n "Container Status: "
26
if podman ps --format "{{.Names}}" | grep -q "xdr-agent"; then
27
    echo -e "${GREEN}RUNNING${NC}"
28
else
29
    echo -e "${RED}NOT RUNNING${NC}"
30
    exit 1
31
fi
32

33
# Check container health
34
echo -n "Container Health: "
35
HEALTH=$(podman inspect xdr-agent --format '{{.State.Health.Status}}' 2>/dev/null || echo "unknown")
36
case $HEALTH in
37
    healthy)
38
        echo -e "${GREEN}HEALTHY${NC}"
39
        ;;
40
    starting)
41
        echo -e "${YELLOW}STARTING${NC}"
42
        ;;
43
    unhealthy)
44
        echo -e "${RED}UNHEALTHY${NC}"
45
        exit 1
46
        ;;
47
    *)
48
        echo -e "${YELLOW}UNKNOWN${NC}"
49
        ;;
50
esac
51

52
# Check resource usage
53
echo -e "\nResource Usage:"
54
podman stats --no-stream --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" xdr-agent
55

56
# Check recent logs for errors
57
echo -e "\nRecent Errors (last 10 minutes):"
58
journalctl --user -u xdr-agent.service --since "10 minutes ago" -p err --no-pager || echo "No errors found"
59

60
# Check auto-update status
61
echo -e "\nAuto-Update Status:"
62
systemctl --user status podman-auto-update-xdr.timer --no-pager | grep -E "Loaded:|Active:|Trigger:"
63

64
echo -e "\nHealth check complete!"

Troubleshooting#

Common Issues and Solutions#

Service Won’t Start#

1
# Check service status
2
systemctl --user status xdr-agent.service
3

4
# View detailed logs
5
journalctl --user -u xdr-agent.service -f
6

7
# Check quadlet generation
8
/usr/lib/systemd/system-generators/podman-system-generator --user --dryrun
9

10
# Verify quadlet syntax
11
systemd-analyze --user verify xdr-agent.service

Permission Issues#

1
# Fix SELinux contexts
2
restorecon -Rv ~/.config/xdr/
3

4
# Check volume permissions
5
podman unshare ls -la /var/lib/containers/storage/volumes/xdr-data/_data
6

7
# Reset user namespace
8
podman system migrate

Network Connectivity#

1
# Test from container
2
podman run --rm -it --network host \
3
    registry.example.com/security/xdr-agent:latest \
4
    curl -v https://xdr.example.com:8443/health
5

6
# Check firewall rules
7
firewall-cmd --list-all

Debug Mode#

Create ~/.config/containers/systemd/xdr-agent-debug.container for debugging:

1
[Unit]
2
Description=XDR Agent Debug Mode
3
Conflicts=xdr-agent.service
4

5
[Container]
6
Image=registry.example.com/security/xdr-agent:latest
7
ContainerName=xdr-agent-debug
8

9
# Debug settings
10
Environment="LOG_LEVEL=debug"
11
Environment="XDR_DEBUG=true"
12

13
# Interactive mode
14
Interactive=true
15
TTY=true
16

17
# Override entrypoint for debugging
18
Entrypoint=/bin/bash
19

20
# Mount source code for debugging (if available)
21
Volume=/home/%u/src/xdr-agent:/src:ro,Z
22

23
# Same mounts as production
24
Volume=/home/%u/.config/xdr/certs:/etc/xdr/certs:ro,Z
25
Volume=/var/log/journal:/var/log/journal:ro
26

27
[Service]
28
Type=simple
29
Restart=no
30

31
[Install]
32
WantedBy=default.target

Performance Optimization#

Resource Tuning#

Create ~/.config/containers/systemd/xdr-agent.resource:

1
[Unit]
2
Description=Resource limits for XDR Agent
3

4
[Slice]
5
# CPU allocation
6
CPUWeight=50
7
CPUQuota=200%
8

9
# Memory limits
10
MemoryMax=2G
11
MemoryHigh=1500M
12

13
# IO limits
14
IOWeight=50
15
IOReadBandwidthMax=/var/lib/containers 50M
16
IOWriteBandwidthMax=/var/lib/containers 20M
17

18
# Task limits
19
TasksMax=100

Monitoring Dashboard#

Create a monitoring script ~/.local/bin/xdr-monitor.sh:

1
#!/bin/bash
2
# Real-time XDR monitoring dashboard
3

4
watch -n 5 '
5
echo "=== XDR Agent Monitor ==="
6
echo
7
echo "Service Status:"
8
systemctl --user is-active xdr-agent.service
9
echo
10
echo "Container Stats:"
11
podman stats --no-stream xdr-agent
12
echo
13
echo "Recent Logs:"
14
journalctl --user -u xdr-agent.service -n 5 --no-pager
15
echo
16
echo "Network Connections:"
17
podman exec xdr-agent ss -tunap 2>/dev/null | head -10
18
'

Security Best Practices#

1. Rootless Operation#

Always run XDR agents in user sessions when possible
Use loginctl enable-linger for persistent monitoring
Avoid privileged containers unless absolutely necessary

2. Secret Management#

1
# Use Podman secrets for sensitive data
2
podman secret create xdr-api-key api-key.txt
3
rm api-key.txt
4

5
# Rotate secrets regularly
6
podman secret rm xdr-api-key
7
podman secret create xdr-api-key new-api-key.txt

3. Network Isolation#

1
# For enhanced security, use custom networks
2
[Container]
3
Network=xdr-network
4
IP=10.88.0.10

4. Audit Logging#

1
# Enable audit logging for XDR activities
2
auditctl -w /home/$USER/.config/xdr/ -p wa -k xdr_config_change
3
auditctl -w /var/lib/containers/storage/volumes/xdr-data/ -p wa -k xdr_data_access

Integration with XDR Platforms#

Wazuh Integration#

1
# Add to config.yaml for Wazuh XDR
2
integrations:
3
  wazuh:
4
    enabled: true
5
    manager: wazuh.example.com
6
    port: 1514
7
    protocol: tcp
8
    agent_name: ${HOSTNAME}-podman
9
    groups:
10
      - linux
11
      - containers
12
      - xdr

Elastic Security Integration#

1
# Add to config.yaml for Elastic
2
integrations:
3
  elastic:
4
    enabled: true
5
    hosts:
6
      - https://elastic1.example.com:9200
7
      - https://elastic2.example.com:9200
8
    username: xdr_agent
9
    api_key: ${ELASTIC_API_KEY}
10
    index: xdr-events

Conclusion#

Deploying XDR agents as Podman Quadlets in user sessions provides a secure, maintainable, and scalable approach to endpoint security monitoring. This configuration offers:

Enhanced Security: Rootless containers with minimal privileges
Operational Excellence: Systemd integration for reliability
Easy Management: Declarative configuration and automatic updates
Flexible Deployment: Adaptable to various XDR platforms

By following this guide, organizations can implement enterprise-grade security monitoring while adhering to the principle of least privilege and modern container best practices.