Skip to content

Instantly share code, notes, and snippets.

@leopoldodonnell

leopoldodonnell/Dockerfile

Last active February 8, 2018 13:45
Show Gist options
  • Save leopoldodonnell/aebca5e9e318c5cffe0bac4f0ea0f5de to your computer and use it in GitHub Desktop.
Save leopoldodonnell/aebca5e9e318c5cffe0bac4f0ea0f5de to your computer and use it in GitHub Desktop.
Download ZIP
Docker Hardening for Alpine
Raw
alpine-harden.sh
#!/bin/sh
set -x
set -e
# Improve strength of diffie-hellman-group-exchange-sha256 (Custom DH with SHA2).
# See https://stribika.github.io/2015/01/04/secure-secure-shell.html
#
# Columns in the moduli file are:
# Time Type Tests Tries Size Generator Modulus
#
# This file is provided by the openssh package on Fedora.
moduli=/etc/ssh/moduli
if [[ -f ${moduli} ]]; then
cp ${moduli} ${moduli}.orig
awk '$5 >= 2000' ${moduli}.orig > ${moduli}
rm -f ${moduli}.orig
fi
# Remove existing crontabs, if any.
rm -fr /var/spool/cron
rm -fr /etc/crontabs
rm -fr /etc/periodic
# Remove all but a handful of admin commands.
find /sbin /usr/sbin ! -type d \
-a ! -name setup-proxy \
-a ! -name sshd \
-a ! -name start.sh \
-delete
# Remove world-writable permissions.
# This breaks apps that need to write to /tmp,
# such as ssh-agent.
find / -xdev -type d -perm +0002 -exec chmod o-w {} +
find / -xdev -type f -perm +0002 -exec chmod o-w {} +
# Remove unnecessary user accounts.
sed -i -r "/^(${SERVICE_USER}|root|sshd)/!d" /etc/group
sed -i -r "/^(${SERVICE_USER}|root|sshd)/!d" /etc/passwd
# Remove interactive login shell for everybody but user.
sed -i -r '/^'${SERVICE_USER}':/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
sysdirs="
/bin
/etc
/lib
/sbin
/usr
"
# Remove apk configs.
find $sysdirs -xdev -regex '.*apk.*' -exec rm -fr {} +
# Remove crufty...
# /etc/shadow-
# /etc/passwd-
# /etc/group-
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} +
# Ensure system dirs are owned by root and not writable by anybody else.
find $sysdirs -xdev -type d \
-exec chown root:root {} \; \
-exec chmod 0755 {} \;
# Remove all suid files.
find $sysdirs -xdev -type f -a -perm +4000 -delete
# Remove other programs that could be dangerous.
find $sysdirs -xdev \( \
-name hexdump -o \
-name chgrp -o \
-name chmod -o \
-name chown -o \
-name ln -o \
-name od -o \
-name strings -o \
-name su \
\) -delete
# Remove init scripts since we do not use them.
rm -fr /etc/init.d
rm -fr /lib/rc
rm -fr /etc/conf.d
rm -fr /etc/inittab
rm -fr /etc/runlevels
rm -fr /etc/rc.conf
# Remove kernel tunables since we do not need them.
rm -fr /etc/sysctl*
rm -fr /etc/modprobe.d
rm -fr /etc/modules
rm -fr /etc/mdev.conf
rm -fr /etc/acpi
# Remove root homedir since we do not need it.
rm -fr /root
# Remove fstab since we do not need it.
rm -f /etc/fstab
# Remove broken symlinks (because we removed the targets above).
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete
Raw
Dockerfile
FROM alpine:3.6
# A hardened base image for Alpine
# You can build this with different users and home directories
ARG SERVICE_USER
ARG SERVICE_HOME
# Default to user 'app' with home '/home/app'
ENV SERVICE_USER ${SERVICE_USER:-app}
ENV SERVICE_HOME ${SERVICE_HOME:-/home/${SERVICE_USER}}
COPY ./harden.sh /root
RUN \
mkdir -p ${SERVICE_HOME} && \
adduser -h ${SERVICE_HOME} -s /sbin/nologin -u 1000 -D ${SERVICE_USER} && \
chown -R ${SERVICE_USER}:${SERVICE_USER} ${SERVICE_HOME} && \
apk add --no-cache \
/root/harden.sh && \
rm /root/harden.sh
USER ${SERVICE_USER}
WORKDIR ${SERVICE_HOME}
VOLUME ${SERVICE_HOME}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment