From a55c0d2655a3069bd5c18639d982a6476d190ed7 Mon Sep 17 00:00:00 2001 From: Sebastian Gil Date: Thu, 6 May 2021 19:54:11 +1000 Subject: [PATCH] Hardening Alpine and Debian image (#3) --- .buildkite/scripts/harden_images.sh | 2 +- images/Dockerfile.openjdk11 | 5 ++-- images/Dockerfile.openjdk11-alpine | 5 ++++ scripts/alpine.sh | 12 +++++++++ scripts/compliance.sh | 30 +++++++++++++++++++++ scripts/compliance/prohibited.txt | 19 +++++++++++++ scripts/compliance/warnings.txt | 11 ++++++++ scripts/debian.sh | 16 +++++++++++ scripts/formatting.sh | 11 ++++++++ scripts/ubuntu.sh | 41 ----------------------------- 10 files changed, 108 insertions(+), 44 deletions(-) create mode 100644 images/Dockerfile.openjdk11-alpine create mode 100644 scripts/alpine.sh create mode 100644 scripts/compliance.sh create mode 100644 scripts/compliance/prohibited.txt create mode 100644 scripts/compliance/warnings.txt create mode 100644 scripts/debian.sh create mode 100644 scripts/formatting.sh delete mode 100644 scripts/ubuntu.sh diff --git a/.buildkite/scripts/harden_images.sh b/.buildkite/scripts/harden_images.sh index 626b8b4..05cd850 100644 --- a/.buildkite/scripts/harden_images.sh +++ b/.buildkite/scripts/harden_images.sh @@ -5,5 +5,5 @@ set -uexo pipefail for dockerfile in images/Dockerfile.* do echo "Hardening: $dockerfile" - docker build . -f "$dockerfile" --tag "${dockerfile:18}-hardened" + DOCKER_BUILDKIT=0 docker build . -f "$dockerfile" --no-cache --tag "${dockerfile:18}-hardened" done \ No newline at end of file diff --git a/images/Dockerfile.openjdk11 b/images/Dockerfile.openjdk11 index 91b138e..63d8b67 100644 --- a/images/Dockerfile.openjdk11 +++ b/images/Dockerfile.openjdk11 @@ -1,4 +1,5 @@ FROM openjdk:11.0.11-jdk -ADD scripts/ubuntu.sh /usr/scripts/ -RUN /usr/scripts/ubuntu.sh +ADD scripts/* /usr/scripts/ +ADD scripts/compliance/* /usr/scripts/compliance/ +RUN /usr/scripts/debian.sh diff --git a/images/Dockerfile.openjdk11-alpine b/images/Dockerfile.openjdk11-alpine new file mode 100644 index 0000000..c7a1f3c --- /dev/null +++ b/images/Dockerfile.openjdk11-alpine @@ -0,0 +1,5 @@ +FROM openjdk:11.0.11-jdk + +ADD scripts/* /usr/scripts/ +ADD scripts/compliance/* /usr/scripts/compliance/ +RUN /usr/scripts/alpine.sh diff --git a/scripts/alpine.sh b/scripts/alpine.sh new file mode 100644 index 0000000..e8431b9 --- /dev/null +++ b/scripts/alpine.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +SCRIPTS_PATH=$(dirname "$0") +# shellcheck disable=SC1090,SC1091 +source "${SCRIPTS_PATH}/formatting.sh" + +echo "${BOLD}Applying compliance requirements${NORMAL}" +"${SCRIPTS_PATH}"/compliance.sh + +echo "${BOLD}Completed${NORMAL}" + +rm -- "$0" \ No newline at end of file diff --git a/scripts/compliance.sh b/scripts/compliance.sh new file mode 100644 index 0000000..b6182e3 --- /dev/null +++ b/scripts/compliance.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +set -eo pipefail + +function removeResources { + local COUNT=0 + echo "Checking resources defined in ${BOLD}${1}${NORMAL}" + while IFS="" read -r RESOURCE || [ -n "${RESOURCE}" ] + do + if [[ -f "${RESOURCE}" ]]; then + echo -e "${2} ${BOLD}${RESOURCE}${NORMAL} found. ${GREEN}Removing...${NC}" + rm -fR "${RESOURCE}" + ((COUNT=COUNT+1)) + fi + done < "${1}" + echo "${BOLD}${COUNT}${NORMAL} problems found and removed" +} +echo "Running ${BOLD}compliance${NORMAL} script" + +SCRIPTS_PATH=$(dirname "$0") + +# shellcheck disable=SC1090,SC1091 +source "${SCRIPTS_PATH}/formatting.sh" + +COMPLIANCE_PATH="${SCRIPTS_PATH}/compliance" + +removeResources "${COMPLIANCE_PATH}/prohibited.txt" "${RED}Problem!${NC}" +removeResources "${COMPLIANCE_PATH}/warnings.txt" "${YELLOW}Warning!${NC}" + +echo "${BOLD}Compliance${NORMAL} script completed" diff --git a/scripts/compliance/prohibited.txt b/scripts/compliance/prohibited.txt new file mode 100644 index 0000000..837b8e8 --- /dev/null +++ b/scripts/compliance/prohibited.txt @@ -0,0 +1,19 @@ +/etc/crontabs +/etc/fstab +/etc/inittab +/etc/krb5.conf +/etc/logrotate.d +/etc/modprobe.d +/etc/modules-load.d +/etc/periodic +/etc/runlevels +/etc/securetty +/etc/sysctl.conf +/etc/sysctl.d +/media +/mnt +/mount +/sbin/apk +/srv +/var/cache +/var/spool/cron diff --git a/scripts/compliance/warnings.txt b/scripts/compliance/warnings.txt new file mode 100644 index 0000000..9bb3c1c --- /dev/null +++ b/scripts/compliance/warnings.txt @@ -0,0 +1,11 @@ +/bin/bash +/bin/csh +/bin/dash +/bin/od +/bin/sh +/etc/passwd- +/etc/shadow- +/usr/bin/od +/usr/bin/zsh +/usr/bin/hexdump +/usr/bin/strings diff --git a/scripts/debian.sh b/scripts/debian.sh new file mode 100644 index 0000000..2c94e94 --- /dev/null +++ b/scripts/debian.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +SCRIPTS_PATH=$(dirname "$0") +# shellcheck disable=SC1090,SC1091 +source "${SCRIPTS_PATH}/formatting.sh" + +echo "${BOLD}Updating apt${NORMAL}" +yes y | apt-get update +yes y | apt-get upgrade + +echo "${BOLD}Applying compliance requirements${NORMAL}" +"${SCRIPTS_PATH}"/compliance.sh + +echo "${BOLD}Completed${NORMAL}" + +rm -- "$0" \ No newline at end of file diff --git a/scripts/formatting.sh b/scripts/formatting.sh new file mode 100644 index 0000000..97a9a25 --- /dev/null +++ b/scripts/formatting.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +export TERM=xterm-256color +BOLD=$(tput bold) +export BOLD +NORMAL=$(tput sgr0) +export NORMAL +export RED='\033[0;31m' +export GREEN='\033[0;32m' +export YELLOW='\033[0;33m' +export NC='\033[0m' # No Color \ No newline at end of file diff --git a/scripts/ubuntu.sh b/scripts/ubuntu.sh deleted file mode 100644 index 4820369..0000000 --- a/scripts/ubuntu.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -set -xe - -yes y | apt-get update -yes y | apt-get upgrade -rm -rf \ - /etc/fstab \ - /etc/logrotate.d \ - /etc/securetty \ - /etc/sysctl.conf \ - /etc/sysctl.d \ - /var/cache \ - /media \ - /mnt \ - /srv \ - /etc/shadow- \ - /etc/passwd- \ - /usr/bin/od \ - /bin/bash \ - /bin/dash \ - /bin/mount \ - /bin/ping \ - /bin/ping4 \ - /bin/ping6 \ - /bin/su \ - /bin/umount \ - /usr/bin/chfn \ - /usr/bin/chsh \ - /usr/bin/gpasswd \ - /usr/bin/newgrp \ - /usr/bin/passwd \ - /usr/bin/sg \ - /usr/lib/openssh/ssh-keysign \ - /etc/ssh \ - /usr/bin/ssh \ - /usr/lib/apt/methods/rsh \ - /var/lib/dpkg/alternatives/rsh - -echo "Completed." - -rm -- "$0" \ No newline at end of file