From 8e40ee36a999ac82dc1f474699904463ac3923d0 Mon Sep 17 00:00:00 2001 From: konsthol Date: Tue, 5 Sep 2023 02:23:58 +0300 Subject: [PATCH] They came from... Behind --- harden | 48 +++++++++++++++++++++--------------------------- 1 file changed, 21 insertions(+), 27 deletions(-) diff --git a/harden b/harden index 9d3cdaa..81366e7 100755 --- a/harden +++ b/harden @@ -286,8 +286,6 @@ EOF # Restart docker sudo machinectl shell secdep@ /bin/bash -c "systemctl --user restart docker" -# # Create a new docker network to dissalow communication between containers -# ##sudo docker network create --driver bridge -o "com.docker.network.bridge.enable_icc"="false" dockerNetworkNoICC # Get all arguments passed to the function and store them in the dockerImages array local dockerImages=("$@") # Using -f instead of -e to check if the file exists AND that it is a regular file @@ -323,34 +321,43 @@ EOF chmod a+rx runsc containerd-shim-runsc-v1 sudo mv runsc containerd-shim-runsc-v1 /home/secdep/bin ) - # Enable gVisor for docker by default - sudo runuser - secdep -c 'sudo mkdir -p /home/secdep/.config/docker' + # Enable gVisor for docker by default while hardening the docker daemon.json file + # The no-new-privileges option will prevent the docker daemon from gaining new privileges + # The runsc option --network=host and --ignore-cgroup will help with running runsc + # with rootless docker + sudo runuser - secdep -c 'mkdir -p /home/secdep/.config/docker' +# "icc": false to disable inter-container communication, does not work without br_netfilter module loaded +# and it is sometimes prohibited by the hosting provider +# so we'll leave it out DOCKERD_CONFIG=$(cat <<'EOF' { -"security-opts": [ -"no-new-privileges:true" -], +"no-new-privileges": true, "selinux-enabled": false, "default-runtime": "runsc", "runtimes": { "runsc": { -"path": "/home/secdep/bin/runsc" +"path": "/home/secdep/bin/runsc", +"runtimeArgs": [ +"--network=host", +"--ignore-cgroups" +] } } } EOF ) - sudo runuser - secdep -c "printf '%s' '$DOCKERD_CONFIG' | sudo tee /home/secdep/.config/docker/daemon.json" + sudo runuser - secdep -c "printf '%s\n' '$DOCKERD_CONFIG' > /home/secdep/.config/docker/daemon.json" + # Restart docker to apply the changes + sudo machinectl shell secdep@ /bin/bash -c "systemctl --user restart docker" whereis apparmor | grep -q /apparmor && kernelSecurityModule="apparmor" || kernelSecurityModule="selinux" if [[ "$kernelSecurityModule" == "selinux" ]]; then - sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/.config/docker' - sudo runuser - secdep -c 'sudo chcon -Rt svirt_sandbox_file_t /home/secdep/bin/runsc' - sudo runuser - secdep -c 'setsebool -P container_manage_cgroup true' + sudo chcon -Rt svirt_sandbox_file_t /home/secdep/.config/docker + sudo chcon -Rt svirt_sandbox_file_t /home/secdep/bin/runsc + setsebool -P container_manage_cgroup true sudo runuser - secdep -c 'sed -i "s/\"selinux-enabled\": false/\"selinux-enabled\": true/" /home/secdep/.config/docker/daemon.json' fi - sudo machinectl shell secdep@ "$(which bash)" -c '[[ -f "$HOME/docker-compose.yml" ]] && DOCKER_HOST=unix:///run/user/$UID/docker.sock /home/secdep/bin/docker-compose -f /home/secdep/docker-compose.yml up -d' # Read the docker-compose.yml file for port mappings to add to the firewall CMD_PORTS="cat /home/secdep/docker-compose.yml | sed '/^[[:space:]]*$/d' | grep -A1 ports | grep '[0-9]:[0-9]' | rev | cut -d':' -f1 | rev | grep -Eow '[[:digit:]]+' | tr '\n' ' '" @@ -388,21 +395,8 @@ EOF [[ "$dockerImage" == *":"* ]] && dockerImageName="${dockerImage%:*}" || dockerImageName="$dockerImage" # Same goes for "/" [[ "$dockerImageName" == *"/"* ]] && dockerImageName="${dockerImageName%/*}" - # No need to pull the docker image as the run command will do it automatically - # Run the docker image in the background, - # with the restart always option and the name of the docker image - # The --security-opt=no-new-privileges option will prevent the docker image from gaining new privileges - # The --cap-drop all option will drop all capabilities from the docker image - # The --cap-add NET_BIND_SERVICE option will add the NET_BIND_SERVICE capability to the docker image - # The --read-only option will mount the docker image as read-only - # The --tmpfs /opt option will mount the /opt directory as a tmpfs - # The --network dockerNetworkNoICC option will connect the docker image to the dockerNetworkNoICC network - # The -v /:/host option will enable the docker rootless mode - # # The --user secdep option will run the docker image as the secdep user to prevent privilege escalation - # sudo -u secdep bash -c 'mkdir -p /home/secdep/opt' CMD="docker pull $dockerImage" - # CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --tmpfs /home/secdep/opt -v /:/host $dockerImage" - # CMD="docker run -d --restart always --name $dockerImageName --security-opt=no-new-privileges --cap-drop all --cap-add NET_BIND_SERVICE --read-only --tmpfs /home/secdep/opt -v /:/host $dockerImage" + printf "%s\n" "Downloaded $dockerImageName docker image" sudo -E runuser - secdep -c "$CMD" done }