diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000000000000000000000000000000000..d71f4037a88ea370faf0202c7519afbec6fd4a3a --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.nfs* +root/user/bin/.nfs* diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md index 7ddab914be32ba1a5b110458609e7b178e7b75be..574f8c671cf29965effe3e983608423127adfa2c 100644 --- a/.gitlab/issue_templates/Application - Initial.md +++ b/.gitlab/issue_templates/Application - Initial.md @@ -17,6 +17,13 @@ If you need to contact the Container Hardening team, please identify your assign If you have no assignee, feel free to tag Container Hardening leadership in your issue by commenting on this issue with your questions/concerns and then add `/cc @ironbank-notifications/leadership`. Gitlab will automatically notify all Container Hardening leadership to look at this issue and respond. +## Get Unstuck/AMA: +Iron Bank Get Unstuck/AMA Working Sessions every Wednesday from 1630-1730EST. +Need some help with your containers getting through Iron Bank? Have questions on where things are at? Are you feeling stuck and want to figure out the next steps? This is the meeting for you! Come meet with the Iron Bank leadership and engineers to get answers to your questions. + Register in advance for this meeting: https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo +After registering, you will receive a confirmation email containing information about joining the meeting. + +If you have any questions, please come to our Get Unstuck/AMA sessions. There we will have the right combination of business folks and engineers to get your questions answered. ## Responsibilities @@ -25,28 +32,140 @@ If this application is owned by a Contributor or Vendor (identifed as `Owner::Co ## Definition of Done -Hardening: -- [ ] Hardening manifest is created and adheres to the schema (https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json) -- [ ] Container builds successfully through the Gitlab CI pipeline -- [ ] Branch has been merged into `development` -- [ ] Project is configured for automatic renovate updates (if possible) -Justifications: -- [ ] All findings have been justified per the above documentation +This checklist is meant to provide a high level overview of the process and steps for getting your container(s) onto Iron Bank. + +- [ ] Create a Repo1 account (https://repo1.dso.mil/users/sign_in) to get access to the public repository of containers. You can register by clicking on the 'Sign in with Iron Bank SSO' button in the sign-in page, followed by the Register button + +- [ ] Fill out the onboarding form: https://p1.dso.mil/#/products/iron-bank/getting-started + +- [ ] Attend our once weekly onboarding session where you can ask questions. [Register here](https://www.zoomgov.com/meeting/register/vJIsce6rpzkqGq9hHHRscNfGENYqvRL1s10%E2%81%A9). + +- [ ] Your Onboarding form will be processed by the Iron Bank team, who will then assign it a priority level and create your repository. You will receive an email that your Gitlab issue has been created and is ready for you to complete the hardening process + +- [ ] Ensure that all POCs are assigned to the issue to ensure proper tracking and notifications + +## Hardening Process + +### Repository Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/structure_requirements.md) + +- [ ] A Dockerfile has been created in the root of the repository + +- [ ] Hardening_manifest.yaml has been created in the root of the repository + +- [ ] The project has a LICENSE or a copy of the EULA + +- [ ] The project has a README in the root of the repository with sufficient instructions on using the Iron Bank version of the image + +- [ ] If your container is an enterprise/commercial container, the opensource version is ready + +- [ ] Scripts used in the Dockerfile are placed into a `scripts` directory + +- [ ] Configuration files are placed into a `config` directory + +- [ ] Project is [configured for automatic renovate updates](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Renovate.md) (if possible) + + - [ ] Renovate.json is present in root of repository + + - [ ] Reviewers have been specified for notifications on new merge requests + +### Dockerfile Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md) + +- [ ] There is one Dockerfile named Dockerfile + +- [ ] The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline) + +- [ ] The Dockerfile is [based on a hardened Iron Bank image](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md#requirements) + +- [ ] The Dockerfile includes a HEALTHCHECK (required if it is an application container) + +- [ ] The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification. + +- [ ] If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root + +- [ ] No ADD instructions are used in the Dockerfile + +## Hardening Manifest + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/hardening%20manifest) + +- [ ] Begin with this example and update with relevant information: https://repo1.dso.mil/dsop/dccscr/-/blob/master/hardening%20manifest/hardening_manifest.yaml + +- [ ] Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json + +- [ ] The BASE_IMAGE and BASE_TAG arguments refer to a hardened/approved Iron Bank image (BASE_REGISTRY defaults to `registry1.dso.mil/ironbank` in the pipeline) + +- [ ] Relevant image metadata has been entered for the corresponding labels + +- [ ] Any downloaded resources include a checksum for verification (letters must be lowercase) + +- [ ] For resource URLs that require authentication, credentials have been provided to an Iron Bank team member + +- [ ] The maintainers' contact information has been provided in the `maintainers` section + +## Gitlab CI Pipeline + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pipeline) + +- [ ] Validate your container builds successfully through the Gitlab CI pipeline. When viewing the repository in repo1.dso.mil, go to `CI/CD > Pipelines` on the left. From there, you can see the status of your pipelines. + +- [ ] Review scan output from `csv output` stage of the pipeline. For instructions on downloading the findings spreadsheet, click [here](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/spreadsheet.md) + +- [ ] Fix vulnerabilities that were found and run the pipeline again before requesting a merge to the development branch + +## Pre-Approval: + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pre-approval) + +- [ ] Submit a Merge Request to the development branch + +- [ ] Feature branch has been merged into development + +- [ ] All findings from the development branch pipeline have been justified per the above documentation + - [ ] Justifications have been attached to this issue -- [ ] Apply the label `Approval` to indicate this container is ready for the approval phase -Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over. +- [ ] Apply the `Approval` label and remove the `Doing` label to indicate this container is ready for the approval phase + +_Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over._ + +## Approval Process (Container Hardening Team processes): + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/approval) -Approval Process (Container Hardening Team processes): - [ ] Peer review from Container Hardening Team + - [ ] Findings Approver has reviewed and approved all justifications + - [ ] Approval request has been sent to Authorizing Official + - [ ] Approval request has been processed by Authorizing Official -Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label. +One of the following statuses is assigned: + +- [ ] Conditional approval has been granted by the Authorizing Official for this container (`Approval::Expiring` label is applied) + +- [ ] This container has been approved by the Authorizing Official (`Approved` label is applied) + +_Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label._ + +## Post-Approval + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/post%20approval) + +- [ ] Your issue has been closed + +- [ ] Your project has been merged into master + +- [ ] Master branch pipeline has completed successfully (at this point, the image is made available on `ironbank.dso.mil` and `registry1.dso.mil` ) + +_Note: Now that your application has been approved, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (Gitlab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process._ + -## Post Approval ### Continuous Monitoring diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..eb0691e87788d826b28801a86a25fdc61075b55f --- /dev/null +++ b/Dockerfile @@ -0,0 +1,60 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 +ARG BASE_TAG=8.4 + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as build + +# Set necessary environment variables for python and python development environment +ARG APP_ROOT=/opt/app-root +ENV PYTHON_VERSION=3.8 \ + APP_ROOT=$APP_ROOT \ + USER_NAME=hero \ + HOME=${APP_ROOT} \ + PATH=$HOME/.local/bin/:$APP_ROOT/.local/bin:/opt/app-root/src/bin:/opt/app-root/bin:$PATH: \ + EDITOR=/usr/bin/vim \ + PS1="AAP \W\$ " \ + PYTHONUNBUFFERED=1 \ + PYTHONIOENCODING=UTF-8 \ + PIP_NO_CACHE_DIR=off \ + LANG="en_US.UTF-8" + +# - Enable the virtual python environment and default interactive and non-interactive +# shell environment upon container startup +ENV PROMPT_COMMAND="" + +# Copy extra files to the image. +COPY ./scripts /usr/bin +RUN chmod a+x /usr/bin/fix-permissions && \ + chmod a+x /usr/bin/rpm-file-permissions && \ + chmod a+x /usr/bin/py-enable + +# yum Updates +RUN yum update -y + +# Install packages +RUN INSTALL_PKGS="vim-enhanced rsync iputils bind-utils git python38 python38-devel python38-setuptools python38-pip" && \ + yum -y update-minimal --setopt=tsflags=nodocs --security && \ + yum -y --setopt=tsflags=nodocs install $INSTALL_PKGS && \ + yum -y remove vim-minimal && \ + rpm -V $INSTALL_PKGS && \ + yum -y clean all --enablerepo="*" + +# - Create a Python virtual environment for use by any application to avoid potential conflicts with Python packages +# preinstalled in the main Python installation. +RUN python$PYTHON_VERSION -m venv ${APP_ROOT} && /usr/bin/py-enable + +# Set up container user and adjust permissions to run in OpenShift environment +WORKDIR ${HOME} +RUN useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \ + -c "Default Application User" default && \ + fix-permissions ${APP_ROOT} -P && \ + fix-permissions ${HOME} -P && \ + rpm-file-permissions + +# Remove sticky bit +RUN chmod g-s /usr/libexec/openssh/ssh-keysign + +# set user to ensure image not running as root +USER 1001 + +HEALTHCHECK NONE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000000000000000000000000000000000..61afe9ce006ff621fe731f6a560e5ed547788987 --- /dev/null +++ b/LICENSE @@ -0,0 +1,46 @@ + + + Python: + + PSF LICENSE AGREEMENT FOR PYTHON 3.6.12 +1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and + the Individual or Organization ("Licensee") accessing and otherwise using Python + 3.6.12 software in source or binary form and its associated documentation. + +2. Subject to the terms and conditions of this License Agreement, PSF hereby + grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, + analyze, test, perform and/or display publicly, prepare derivative works, + distribute, and otherwise use Python 3.6.12 alone or in any derivative + version, provided, however, that PSF's License Agreement and PSF's notice of + copyright, i.e., "Copyright © 2001-2020 Python Software Foundation; All Rights + Reserved" are retained in Python 3.6.12 alone or in any derivative version + prepared by Licensee. + +3. In the event Licensee prepares a derivative work that is based on or + incorporates Python 3.6.12 or any part thereof, and wants to make the + derivative work available to others as provided herein, then Licensee hereby + agrees to include in any such work a brief summary of the changes made to Python + 3.6.12. + +4. PSF is making Python 3.6.12 available to Licensee on an "AS IS" basis. + PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF + EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR + WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE + USE OF PYTHON 3.6.12 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. + +5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 3.6.12 + FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF + MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 3.6.12, OR ANY DERIVATIVE + THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. + +6. This License Agreement will automatically terminate upon a material breach of + its terms and conditions. + +7. Nothing in this License Agreement shall be deemed to create any relationship + of agency, partnership, or joint venture between PSF and Licensee. This License + Agreement does not grant permission to use PSF trademarks or trade name in a + trademark sense to endorse or promote products or services of Licensee, or any + third party. + +8. By copying, installing or otherwise using Python 3.6.12, Licensee agrees + to be bound by the terms and conditions of this License Agreement. diff --git a/README.md b/README.md index 5dc6fa6db4361c22da2f35edf0544d83ba6001e2..14dc575298807731cbd33b4456208648a819c915 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,2 @@ -# - -Project template for all Iron Bank container repositories. \ No newline at end of file +# AAP Python base image +_Use as a base image for custom python apps._ diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8089eed849b64419ddfbf3f1245a85123a034de7 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "diat/aap-python" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "14.1" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_REGISTRY: "registry1.dsop.io" + BASE_IMAGE: "redhat/ubi/ubi8" + BASE_TAG: "8.4" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "aap-python" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Python $PYTHON_VERSION available as container is a base platform for building and running various Python $PYTHON_VERSION applications and frameworks." + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "AAP License" + # URL to find more information on the image + org.opencontainers.image.url: "https://wiki.navair1.navy.mil/display/Analytics/Advanced+Analytics+Platform" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "aap-python" + # Authoritative version of the software + org.opencontainers.image.version: "14.1" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "aap,python,aappython,aap-python,pythonent,atlas,diat" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "diat/aap-python" + +# List of project maintainers +maintainers: +- email: "wingkwan.lau1@navy.mil" + name: "WingKwan Lau" + username: "wlau" diff --git a/scripts/fix-permissions b/scripts/fix-permissions new file mode 100644 index 0000000000000000000000000000000000000000..827eeb587616115c2c025e6e2e45140034b295be --- /dev/null +++ b/scripts/fix-permissions @@ -0,0 +1,28 @@ +#!/bin/sh + +# Allow this script to fail without failing a build +set +e + +SYMLINK_OPT=${2:--L} + +# Fix permissions on the given directory or file to allow group read/write of +# regular files and execute of directories. + +[ $(id -u) -ne 0 ] && CHECK_OWNER=" -uid $(id -u)" + +# If argument does not exist, script will still exit with 0, +# but at least we'll see something went wrong in the log +if ! [ -e "$1" ] ; then + echo "ERROR: File or directory $1 does not exist." >&2 + # We still want to end successfully + exit 0 +fi + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -gid 0 -exec chgrp 0 {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} \! -perm -g+rw -exec chmod g+rw {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -perm /u+x -a \! -perm /g+x -exec chmod g+x {} + +find $SYMLINK_OPT "$1" ${CHECK_OWNER} -type d \! -perm /g+x -exec chmod g+x {} + + +# Always end successfully +exit 0 + diff --git a/scripts/py-enable b/scripts/py-enable new file mode 100644 index 0000000000000000000000000000000000000000..9d1443b8db5d244960007080387c9e6d02d7b7fd --- /dev/null +++ b/scripts/py-enable @@ -0,0 +1,6 @@ +# IMPORTANT: Do not add more content to this file unless you know what you are +# doing. This file is sourced everytime the shell session is opened. +# This will make the python libraries work out of the box. +unset BASH_ENV PROMPT_COMMAND ENV +source /opt/app-root/bin/activate + diff --git a/scripts/rpm-file-permissions b/scripts/rpm-file-permissions new file mode 100644 index 0000000000000000000000000000000000000000..e96e7053c25f03d7e55880d42074f18e11bd8be5 --- /dev/null +++ b/scripts/rpm-file-permissions @@ -0,0 +1,22 @@ +#!/bin/sh + +CHECK_DIRS="/ /opt /etc /usr /usr/bin /usr/lib /usr/lib64 /usr/share /usr/libexec" + +rpm_format="[%{FILESTATES:fstate} %7{FILEMODES:octal} %{FILENAMES:shescape}\n]" + +rpm -q --qf "$rpm_format" filesystem | while read line +do + eval "set -- $line" + + case $1 in + normal) ;; + *) continue ;; + esac + + case " $CHECK_DIRS " in + *" $3 "*) + chmod "${2: -4}" "$3" + ;; + esac +done +