Hardening Alpine and Debian image (#3)

.buildkite/scripts/harden_images.sh

@@ -5,5 +5,5 @@ set -uexo pipefail
 for dockerfile in images/Dockerfile.*
 do
 	echo "Hardening: $dockerfile"
-	docker build . -f "$dockerfile" --tag "${dockerfile:18}-hardened"
+	DOCKER_BUILDKIT=0 docker build . -f "$dockerfile" --no-cache --tag "${dockerfile:18}-hardened"
 done

images/Dockerfile.openjdk11

@@ -1,4 +1,5 @@
 FROM openjdk:11.0.11-jdk
 
-ADD scripts/ubuntu.sh /usr/scripts/
-RUN /usr/scripts/ubuntu.sh
+ADD scripts/* /usr/scripts/
+ADD scripts/compliance/* /usr/scripts/compliance/
+RUN /usr/scripts/debian.sh

images/Dockerfile.openjdk11-alpine

@@ -0,0 +1,5 @@
+FROM openjdk:11.0.11-jdk
+
+ADD scripts/* /usr/scripts/
+ADD scripts/compliance/* /usr/scripts/compliance/
+RUN /usr/scripts/alpine.sh

scripts/alpine.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+SCRIPTS_PATH=$(dirname "$0")
+# shellcheck disable=SC1090,SC1091
+source "${SCRIPTS_PATH}/formatting.sh"
+
+echo "${BOLD}Applying compliance requirements${NORMAL}"
+"${SCRIPTS_PATH}"/compliance.sh
+
+echo "${BOLD}Completed${NORMAL}"
+
+rm -- "$0"

scripts/compliance.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eo pipefail
+
+function removeResources {
+  local COUNT=0
+  echo "Checking resources defined in ${BOLD}${1}${NORMAL}"
+  while IFS="" read -r RESOURCE || [ -n "${RESOURCE}" ]
+  do
+    if [[ -f "${RESOURCE}" ]]; then
+      echo -e "${2} ${BOLD}${RESOURCE}${NORMAL} found. ${GREEN}Removing...${NC}"
+      rm -fR "${RESOURCE}"
+      ((COUNT=COUNT+1))
+    fi
+  done < "${1}"
+  echo "${BOLD}${COUNT}${NORMAL} problems found and removed"
+}
+echo "Running ${BOLD}compliance${NORMAL} script"
+
+SCRIPTS_PATH=$(dirname "$0")
+
+# shellcheck disable=SC1090,SC1091
+source "${SCRIPTS_PATH}/formatting.sh"
+
+COMPLIANCE_PATH="${SCRIPTS_PATH}/compliance"
+
+removeResources "${COMPLIANCE_PATH}/prohibited.txt" "${RED}Problem!${NC}"
+removeResources "${COMPLIANCE_PATH}/warnings.txt" "${YELLOW}Warning!${NC}"
+
+echo "${BOLD}Compliance${NORMAL} script completed"

scripts/compliance/prohibited.txt

@@ -0,0 +1,19 @@
+/etc/crontabs
+/etc/fstab
+/etc/inittab
+/etc/krb5.conf
+/etc/logrotate.d
+/etc/modprobe.d
+/etc/modules-load.d
+/etc/periodic
+/etc/runlevels
+/etc/securetty
+/etc/sysctl.conf
+/etc/sysctl.d
+/media
+/mnt
+/mount
+/sbin/apk
+/srv
+/var/cache
+/var/spool/cron

scripts/compliance/warnings.txt

@@ -0,0 +1,11 @@
+/bin/bash
+/bin/csh
+/bin/dash
+/bin/od
+/bin/sh
+/etc/passwd-
+/etc/shadow-
+/usr/bin/od
+/usr/bin/zsh
+/usr/bin/hexdump
+/usr/bin/strings

scripts/debian.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+SCRIPTS_PATH=$(dirname "$0")
+# shellcheck disable=SC1090,SC1091
+source "${SCRIPTS_PATH}/formatting.sh"
+
+echo "${BOLD}Updating apt${NORMAL}"
+yes y | apt-get update
+yes y | apt-get upgrade
+
+echo "${BOLD}Applying compliance requirements${NORMAL}"
+"${SCRIPTS_PATH}"/compliance.sh
+
+echo "${BOLD}Completed${NORMAL}"
+
+rm -- "$0"

scripts/formatting.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+export TERM=xterm-256color
+BOLD=$(tput bold)
+export BOLD
+NORMAL=$(tput sgr0)
+export NORMAL
+export RED='\033[0;31m'
+export GREEN='\033[0;32m'
+export YELLOW='\033[0;33m'
+export NC='\033[0m' # No Color