They came from... Behind
This commit is contained in:
48
harden
48
harden
@@ -286,8 +286,6 @@ EOF
|
||||
# Restart docker
|
||||
sudo machinectl shell secdep@ /bin/bash -c "systemctl --user restart docker"
|
||||
|
||||
# # Create a new docker network to dissalow communication between containers
|
||||
# ##sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC
|
||||
# Get all arguments passed to the function and store them in the dockerImages array
|
||||
local dockerImages=("$@")
|
||||
# Using -f instead of -e to check if the file exists AND that it is a regular file
|
||||
@@ -323,34 +321,43 @@ EOF
|
||||
chmod a+rx runsc containerd-shim-runsc-v1
|
||||
sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin
|
||||
)
|
||||
# Enable gVisor for docker by default
|
||||
sudo runuser - secdep -c 'sudo mkdir -p /home/secdep/.config/docker'
|
||||
# Enable gVisor for docker by default while hardening the docker daemon.json file
|
||||
# The no-new-privileges option will prevent the docker daemon from gaining new privileges
|
||||
# The runsc option --network=host and --ignore-cgroup will help with running runsc
|
||||
# with rootless docker
|
||||
sudo runuser - secdep -c 'mkdir -p /home/secdep/.config/docker'
|
||||
# "icc": false to disable inter-container communication, does not work without br_netfilter module loaded
|
||||
# and it is sometimes prohibited by the hosting provider
|
||||
# so we'll leave it out
|
||||
DOCKERD_CONFIG=$(cat <<'EOF'
|
||||
{
|
||||
"security-opts": [
|
||||
"no-new-privileges:true"
|
||||
],
|
||||
"no-new-privileges": true,
|
||||
"selinux-enabled": false,
|
||||
"default-runtime": "runsc",
|
||||
"runtimes": {
|
||||
"runsc": {
|
||||
"path": "/home/secdep/bin/runsc"
|
||||
"path": "/home/secdep/bin/runsc",
|
||||
"runtimeArgs": [
|
||||
"--network=host",
|
||||
"--ignore-cgroups"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
)
|
||||
sudo runuser - secdep -c "printf '%s' '$DOCKERD_CONFIG' | sudo tee /home/secdep/.config/docker/daemon.json"
|
||||
sudo runuser - secdep -c "printf '%s\n' '$DOCKERD_CONFIG' > /home/secdep/.config/docker/daemon.json"
|
||||
# Restart docker to apply the changes
|
||||
sudo machinectl shell secdep@ /bin/bash -c "systemctl --user restart docker"
|
||||
|
||||
whereis apparmor | grep -q /apparmor && kernelSecurityModule="apparmor" || kernelSecurityModule="selinux"
|
||||
if [[ "$kernelSecurityModule" == "selinux" ]]; then
|
||||
sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/.config/docker'
|
||||
sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/bin/runsc'
|
||||
sudo runuser - secdep -c 'setsebool -P container_manage_cgroup true'
|
||||
sudo chcon -Rt svirt_sandbox_file_t /home/secdep/.config/docker
|
||||
sudo chcon -Rt svirt_sandbox_file_t /home/secdep/bin/runsc
|
||||
setsebool -P container_manage_cgroup true
|
||||
sudo runuser - secdep -c 'sed -i "s/\"selinux-enabled\": false/\"selinux-enabled\": true/" /home/secdep/.config/docker/daemon.json'
|
||||
fi
|
||||
|
||||
|
||||
sudo machinectl shell secdep@ "$(which bash)" -c '[[ -f "$HOME/docker-compose.yml" ]] && DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d'
|
||||
# Read the docker-compose.yml file for port mappings to add to the firewall
|
||||
CMD_PORTS="cat /home/secdep/docker-compose.yml | sed '/^[[:space:]]*$/d' | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '"
|
||||
@@ -388,21 +395,8 @@ EOF
|
||||
[[ "$dockerImage" == *":"* ]] && dockerImageName="${dockerImage%:*}" || dockerImageName="$dockerImage"
|
||||
# Same goes for "/"
|
||||
[[ "$dockerImageName" == *"/"* ]] && dockerImageName="${dockerImageName%/*}"
|
||||
# No need to pull the docker image as the run command will do it automatically
|
||||
# Run the docker image in the background,
|
||||
# with the restart always option and the name of the docker image
|
||||
# The --security-opt=no-new-privileges option will prevent the docker image from gaining new privileges
|
||||
# The --cap-drop all option will drop all capabilities from the docker image
|
||||
# The --cap-add NET_BIND_SERVICE option will add the NET_BIND_SERVICE capability to the docker image
|
||||
# The --read-only option will mount the docker image as read-only
|
||||
# The --tmpfs /opt option will mount the /opt directory as a tmpfs
|
||||
# The --network dockerNetworkNoICC option will connect the docker image to the dockerNetworkNoICC network
|
||||
# The -v /:/host option will enable the docker rootless mode
|
||||
# # The --user secdep option will run the docker image as the secdep user to prevent privilege escalation
|
||||
# sudo -u secdep bash -c 'mkdir -p /home/secdep/opt'
|
||||
CMD="docker pull $dockerImage"
|
||||
# CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --tmpfs /home/secdep/opt -v /:/host $dockerImage"
|
||||
# CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --read-only --tmpfs /home/secdep/opt -v /:/host $dockerImage"
|
||||
printf "%s\n" "Downloaded $dockerImageName docker image"
|
||||
sudo -E runuser - secdep -c "$CMD"
|
||||
done
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user