Vulnerability Assessment on Bluemix

[jwende]

the security assessment on bluemix required four actions:

• update /etc/login.defs with PASS_MAX_DAYS 90
• update /etc/login.defs with PASS_MIN_LEN >=8
• upgrade libssl
• upgrade libgnutls Recommended fixes:
• add login.defs to github and copy it into the image
• extend the Dockerfile with: RUN apt-get update && \ apt-get dist-upgrade -y

Cheers Joerg

[s-rogers]

Thanks Joerg - these are useful tips if you intend to run in that particular environment. In terms of this project, which is intended really just as a demonstration of how you can run IIB in a a docker container, rather than as a proper production setup, I don't think we need to add these in. In fact, the first 2 would currently have no affect as we don't use a password for iibuser - we use sudo (I know, this is a while different issue - I'll look into alternatives at some point). I would also be cautious about adding in "RUN apt-get update && \ apt-get dist-upgrade -y" - Docker themselves say this is bad practice - see:

https://docs.docker.com/engine/articles/dockerfile_best-practices/

We could add in libssl and libgnutls explicitly, but I suspect that the base Ubuntu we build from will include these updates soon.