konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Is there an achievement for this?

Browse Source
This commit is contained in:
konsthol
2023-05-29 21:46:02 +03:00
parent c98b7444d8
commit 7cbae4d58f
2 changed files with 52 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
harden
View File

@@ -257,8 +257,12 @@ function kernelSecurityModuleInit {
function dockerInit {
# Add user to docker group to avoid using sudo when running docker commands
sudo usermod -aG docker "$USER"
# Create a new docker network to dissalow communication between containers
sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC
# Get all arguments passed to the function and store them in the dockerImages array
local dockerImages=("$@")
# Check if there is a docker-compose.yml file in the user's home directory
[[ -f "$HOME/docker-compose.yml" ]] && docker-compose -f "$HOME/docker-compose.yml" up -d # If there is, run it
# Check if the dockerImages array is empty and return 0 if it is
[[ "${#dockerImages[@]}" -eq 0 ]] && return 0
# Loop through the dockerImages array
@@ -270,8 +274,12 @@ function dockerInit {
# The --security-opt=no-new-privileges option will prevent the docker image from gaining new privileges
# The --cap-drop all option will drop all capabilities from the docker image
# The --cap-add NET_ADMIN option will add the NET_ADMIN capability to the docker image
docker run -d --restart always --name "$dockerImage" --security-opt=no-new-privileges --cap-drop all --cap-add NET_ADMIN
"$dockerImage"
# The --read-only option will mount the docker image as read-only
# The --tmpfs /opt option will mount the /opt directory as a tmpfs
# The --network dockerNetworkNoICC option will connect the docker image to the dockerNetworkNoICC network
# # The --user secdep option will run the docker image as the secdep user to prevent privilege escalation
docker run -d --restart always --name "$dockerImage" --security-opt=no-new-privileges --cap-drop all --cap-add NET_ADMIN --read-only --tmpfs /opt --network dockerNetworkNoICC "$dockerImage"
#docker run -d --restart always --name "$dockerImage" --security-opt=no-new-privileges --cap-drop all --cap-add NET_ADMIN --user secdep "$dockerImage"
done
}