-
-
Notifications
You must be signed in to change notification settings - Fork 46
/
harden_docker.sh
executable file
·140 lines (118 loc) · 3.75 KB
/
harden_docker.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/sh
set -x
set -e
#
# Docker build calls this script to harden the image during build.
#
# NOTE: To build on CircleCI, you must take care to keep the `find`
# command out of the /proc filesystem to avoid errors like:
#
# find: /proc/tty/driver: Permission denied
# lxc-start: The container failed to start.
# lxc-start: Additional information can be obtained by \
# setting the --logfile and --logpriority options.
adduser -D -s /bin/sh -u 1000 user
sed -i -r 's/^user:!:/user:x:/' /etc/shadow
# Avoid error `Only root may specify -c or -f` when using
# ForceCommand with `-f` option at non-root ssh login.
# https://www.duosecurity.com/docs/duounix-faq#can-i-use-login_duo-to-protect-non-root-shared-accounts,-or-can-i-do-an-install-without-root-privileges?
if [[ -f /usr/sbin/login_duo ]]; then
chmod u-s /usr/sbin/login_duo
fi
# /etc/duo/login_duo.conf must be readable only by user 'user'.
if [[ -f /etc/duo/login_duo.conf ]]; then
chown user:user /etc/duo/login_duo.conf
chmod 0400 /etc/duo/login_duo.conf
fi
# Ensure strict ownership and perms.
if [[ -f /usr/bin/github_pubkeys ]]; then
chown root:root /usr/bin/github_pubkeys
chmod 0555 /usr/bin/github_pubkeys
fi
# Be informative after successful login.
echo -e "\n\nHardened App container image built on $(date)." > /etc/motd
# Improve strength of diffie-hellman-group-exchange-sha256 (Custom DH with SHA2).
# See https://stribika.github.io/2015/01/04/secure-secure-shell.html
#
# Columns in the moduli file are:
# Time Type Tests Tries Size Generator Modulus
#
# This file is provided by the openssh package on Fedora.
moduli=/etc/ssh/moduli
if [[ -f ${moduli} ]]; then
cp ${moduli} ${moduli}.orig
awk '$5 >= 2000' ${moduli}.orig > ${moduli}
rm -f ${moduli}.orig
fi
# Remove existing crontabs, if any.
rm -fr /var/spool/cron
rm -fr /etc/crontabs
rm -fr /etc/periodic
# Remove all but a handful of admin commands.
find /sbin /usr/sbin ! -type d \
-a ! -name login_duo \
-a ! -name nologin \
-a ! -name setup-proxy \
-a ! -name sshd \
-a ! -name start.sh \
-delete
# Remove world-writable permissions.
# This breaks apps that need to write to /tmp,
# such as ssh-agent.
find / -xdev -type d -perm +0002 -exec chmod o-w {} +
find / -xdev -type f -perm +0002 -exec chmod o-w {} +
# Remove unnecessary user accounts.
sed -i -r '/^(user|root|sshd)/!d' /etc/group
sed -i -r '/^(user|root|sshd)/!d' /etc/passwd
# Remove interactive login shell for everybody but user.
sed -i -r '/^user:/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
sysdirs="
/bin
/etc
/lib
/sbin
/usr
"
# Remove apk configs.
find $sysdirs -xdev -regex '.*apk.*' -exec rm -fr {} +
# Remove crufty...
# /etc/shadow-
# /etc/passwd-
# /etc/group-
find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} +
# Ensure system dirs are owned by root and not writable by anybody else.
find $sysdirs -xdev -type d \
-exec chown root:root {} \; \
-exec chmod 0755 {} \;
# Remove all suid files.
find $sysdirs -xdev -type f -a -perm +4000 -delete
# Remove other programs that could be dangerous.
find $sysdirs -xdev \( \
-name hexdump -o \
-name chgrp -o \
-name chmod -o \
-name chown -o \
-name ln -o \
-name od -o \
-name strings -o \
-name su \
\) -delete
# Remove init scripts since we do not use them.
rm -fr /etc/init.d
rm -fr /lib/rc
rm -fr /etc/conf.d
rm -fr /etc/inittab
rm -fr /etc/runlevels
rm -fr /etc/rc.conf
# Remove kernel tunables since we do not need them.
rm -fr /etc/sysctl*
rm -fr /etc/modprobe.d
rm -fr /etc/modules
rm -fr /etc/mdev.conf
rm -fr /etc/acpi
# Remove root homedir since we do not need it.
rm -fr /root
# Remove fstab since we do not need it.
rm -f /etc/fstab
# Remove broken symlinks (because we removed the targets above).
find $sysdirs -xdev -type l -exec test ! -e {} \; -delete