Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/thomasfricke/container-hardening
scripts which help harden containers
https://github.com/thomasfricke/container-hardening
Last synced: about 2 months ago
JSON representation
scripts which help harden containers
- Host: GitHub
- URL: https://github.com/thomasfricke/container-hardening
- Owner: thomasfricke
- License: other
- Created: 2021-12-08T18:02:27.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2022-10-17T14:49:28.000Z (over 2 years ago)
- Last Synced: 2024-08-08T18:21:49.597Z (5 months ago)
- Language: Dockerfile
- Size: 24.4 KB
- Stars: 28
- Watchers: 2
- Forks: 2
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: License.md
Awesome Lists containing this project
- awesome-starred - thomasfricke/container-hardening - scripts which help harden containers (others)
README
# container-hardening
The `harden` scripts help to harden containers. It needs do be used inside the `Dockerfile`.
F.e. hardening `nginx:alpine`
```Dockerfile
FROM nginx:alpine as origin
ADD harden /harden
RUN mkdir /tmp/harden
RUN ./harden -d /usr/sbin/nginx \
-f /etc/nginx /var/log/nginx/ /var/run/nginx.pid /var/cache/nginx /etc/passwd /etc/group \
/usr/share/nginx /usr/share/licenses/ /var/run \
-c /var/log/nginx/ /var/cache/nginx /var/run
FROM scratch
COPY --from=origin /tmp/harden/ /
ENTRYPOINT ["/usr/sbin/nginx","-g","daemon off;"]
```
The usage
```bash
harden [-x] -d -f -r -u user -c "
-x Activates debugging
-d Files are considered dynamically linked
All library dependencies are resolved using ldd and necessary file are included
-f Files and directories to include. Don't forget the license files
-r Files to be removed before copying, especially log files
-u User:Group files should be chowned to, access right will be set to rw for the user
-c chmod go+rw to all the files in this section
The container needs a usable version of sh, ldd, sed, rm and uniq
```