[Security] Make Alpine image compliant with CIS Docker Community Edition Benchmark v1.1.0.

gliderlabs / docker-alpine

Alpine Linux Docker image. Win at minimalism!

http://gliderlabs.viewdocs.io/docker-alpine

BSD 2-Clause "Simplified" License

5.7k stars 528 forks source link

[Security] Make Alpine image compliant with CIS Docker Community Edition Benchmark v1.1.0. #492

Open anthony-roger opened 5 years ago

anthony-roger commented 5 years ago

Current alpine image is not compliant with CIS Docker Community Edition Benchmark v1.1.0. Section 4 - Container Images and Build File Please refer to [docker/docker-bench-security](https://github.com/docker/docker-bench-security.

To reproduce issues

docker pull alpine:latest

docker run --net host --pid host --userns host --cap-add audit_control -e DOCKER_CONTENT_TRUST=1 -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_benchsecurity docker/docker-bench-security:latest -t "alpine:latest" -e "check[12367].|check_5.[1-57-9]."

Specially, but maybe not only, (COPY should not be used anymore. Use COPY instead.)

[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile [INFO] * ADD in image history: [alpine:latest]

tianon commented 5 years ago

This is what we in the official images program call a "base image" -- you'll note that every base image uses ADD, and there's not any other way to accomplish what they are without doing so.

They're built from a rootfs tarball which needs to be extracted into an empty image (FROM scratch), but we don't have any tools in an empty image to do the extraction so we have to rely on the magic extraction behavior of ADD (which COPY does not have).

anthony-roger commented 5 years ago

Hi Tianon,

Thanks for your answer, this is very interesting. I understand your point.

I checked and I saw that Debian minimal image has the same behaviour. However, RHEL has not. I see the point in official docker documentation: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

In the other hand, the point I suggested is also on official docker recommendation (docker bench security). And this official tool point it out. You could reply the CIS specification apply a not scoring check, and the actual scoring is a bug.

I am really interested in such topics.

Please let me know if I'm missing something. Would really appreciate your feedback on this.

Best regards, Anthony.

thaJeztah commented 5 years ago

I think it's difficult to write a good check for ADD vs COPY. It's indeed recommended to use COPY if you don't need the added features of ADD (extracting archives and/or remote sources), but there are still valid use-cases.

Most of those use-cases can be addressed through multi-stage builds, but those cannot (yet) be used for the official images, due to how the build-system for the official images is rigged up.

Perhaps the Docker Bench tools should skip some checks for official images, or check if the ADD is done on a FROM scratch image (which is the case when you're creating a base-image from scratch; see https://docs.docker.com/develop/develop-images/baseimages/)

Might be worth opening a ticket to discuss that in the docker-bench issue tracker