tweaks

.gitignore

@@ -2,3 +2,4 @@ ibscripts/build-image.sh
 ibscripts
 scripts/build-image.sh
 archive.key
+build-image.sh

Dockerfile

@@ -12,19 +12,11 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 # We want UTF-8 and this is the only locale in the base image that supports it
 ENV LANG="C.UTF-8"
 
-# openjdk11 (base image) does not expose all the fips ciphers, like HmacSHA256, when fips enabled
-# This causes issues with keytool & connect, so disable it for ONLY those java processes (not other processes, the OS, or K8S host)
-ARG JAVA_OPTS="-Dsecurity.useSystemPropertiesFile=false -Dcom.redhat.fips=false"
-ENV JDK_JAVA_OPTIONS=$JAVA_OPTS
-ENV JAVA_TOOL_OPTIONS=$JAVA_OPTS
-
+# Set the classpath for JARs required by `cub`
 ENV CUB_CLASSPATH='"/usr/share/java/cp-base-new/*"'
 
 USER root
 
-## Add the Confluent Docker Utility Belt which helps with starting the proper applications
-## https://github.com/confluentinc/common-docker/tree/master/utility-belt
-
 COPY archive.key /tmp
 
 ## For auditing & debugging
@@ -63,9 +55,17 @@ RUN echo "===> dnf installs" \
         && mkdir -p /usr/logs /licenses \
         && useradd --no-log-init --create-home --shell /bin/bash appuser \
         && chown appuser:appuser -R /usr/logs \
-    && dnfupdate
+    && dnfupdate 
+    
+# enable FIPS in docker image, this will only work if underlying OS has FIPS enabled as well else is a NO OP.
+RUN update-crypto-policies --set FIPS 
+
+# Disable setuid/setgid bits
+RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
+RUN find / -perm /6000 -type f -exec chmod g-s {} \; || true
 
 USER appuser
+WORKDIR /home/appuser
 
 ## healthcheck not applicable since this is ONLY used as a base image
 HEALTHCHECK NONE

hardening_manifest.yaml

@@ -8,7 +8,7 @@ name: "confluentinc/cp-base-new"
 # on ironbank.dso.mil
 tags:
   - "Q4_2024_jdk17"
-  - "2024-12-02"
+  - "2024-12-11"
   - "7.7.2"
   - "latest-ubi8.amd64"
   - "latest.amd64"