Last active
February 18, 2019 13:15
-
-
Save joxz/4526d310636bf3ca9b00337a6105daa5 to your computer and use it in GitHub Desktop.
alpine hardening script for docker containers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Credits: | |
# https://github.com/ellerbrock/docker-collection/blob/master/dockerfiles/alpine-harden/harden.sh | |
# https://github.com/HazCod/hardened-alpine/blob/master/Dockerfile | |
set -euxo pipefail | |
# Remove existing crontabs, if any. | |
rm -rf /var/spool/cron | |
rm -rf /etc/crontabs | |
rm -rf /etc/periodic | |
# Remove all but a handful of admin commands. | |
find /sbin /usr/sbin ! -type d \ | |
-a ! -name nologin \ | |
-a ! -name sshd \ | |
-a ! -name apk \ | |
-a ! -name adduser \ | |
-delete | |
# Remove world-writable permissions. | |
# This breaks apps that need to write to /tmp, | |
# such as ssh-agent. | |
find / -xdev -type d -perm +0002 -exec chmod o-w {} + | |
find / -xdev -type f -perm +0002 -exec chmod o-w {} + | |
# Remove unnecessary user accounts. | |
# check if $APP_USER is set | |
if [ -z "$APP_USER" ] | |
then | |
sed -i -r "/^(root|sshd)/!d" /etc/group | |
sed -i -r "/^(root|sshd)/!d" /etc/passwd | |
sed -i -r "/^(root|nobody)/!d" /etc/shadow | |
else | |
sed -i -r "/^(${APP_USER}|root|sshd)/!d" /etc/group | |
sed -i -r "/^(${APP_USER}|root|sshd)/!d" /etc/passwd | |
sed -i -r "/^(${APP_USER}|root|nobody)/!d" /etc/shadow | |
# Remove interactive login shell for everybody but user. | |
sed -i -r '/^'${APP_USER}':/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd | |
# Remove root home dir | |
rm -rf /root | |
fi | |
# Disable password login for everybody | |
while IFS=: read -r username _; do passwd -l "$username"; done < /etc/passwd || true | |
# Remove temp shadow,passwd,group | |
find /bin /etc /lib /sbin /usr -xdev -type f -regex '.*-$' -exec rm -f {} + | |
# Ensure system dirs are owned by root and not writable by anybody else. | |
find /bin /etc /lib /sbin /usr -xdev -type d \ | |
-exec chown root:root {} \; \ | |
-exec chmod 0755 {} \; | |
sysdirs=" | |
/bin | |
/etc | |
/lib | |
/sbin | |
/usr | |
" | |
# Remove other programs that could be dangerous. | |
find $sysdirs -xdev \( \ | |
-name hexdump -o \ | |
-name chgrp -o \ | |
-name chmod -o \ | |
-name chown -o \ | |
-name od -o \ | |
-name strings -o \ | |
-name su \ | |
\) -delete | |
# Remove init scripts since we do not use them. | |
rm -rf /etc/init.d | |
rm -rf /lib/rc | |
rm -rf /etc/conf.d | |
rm -rf /etc/inittab | |
rm -rf /etc/runlevels | |
rm -rf /etc/rc.conf | |
# Remove kernel tunables since we do not need them. | |
rm -rf /etc/sysctl* | |
rm -rf /etc/modprobe.d | |
rm -rf /etc/modules | |
rm -rf /etc/mdev.conf | |
rm -rf /etc/acpi | |
# Remove fstab | |
rm -f /etc/fstab | |
# Remove any symlinks that we broke during previous steps | |
find /bin /etc /lib /sbin /usr -xdev -type l -exec test ! -e {} \; -delete | |
# remove this file | |
rm -f "$0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -euxo pipefail | |
# remove adduser | |
rm -f /usr/sbin/adduser | |
# remove apk package manager | |
find / -type f -iname '*apk*' -xdev -delete | |
find / -type d -iname '*apk*' -print0 -xdev | xargs -0 rm -r -- | |
# remove root directory | |
rm -rf /root | |
# finally remove this file | |
rm -f "$0" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment