From 8ebea62b6e52b758dbd4b360d88a954c5f8a3682 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Wed, 21 Apr 2021 14:58:59 -0400 Subject: [PATCH] Initial Hardening of Heimdall2 using Heimdall 2.4.5 --- Dockerfile | 36 ++++++++++++++++++++++ LICENSE | 9 ++++++ README.md | 48 +++++++++++++++++++++++++++-- hardening_manifest.yaml | 59 ++++++++++++++++++++++++++++++++++++ renovate.json | 39 ++++++++++++++++++++++++ scripts/docker-entrypoint.sh | 5 +++ 6 files changed, 194 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 hardening_manifest.yaml create mode 100644 renovate.json create mode 100755 scripts/docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..58a56d0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,36 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=opensource/nodejs/nodejs14 +ARG BASE_TAG=14.16.0 + +FROM mitre/heimdall2:version-2.4.5 AS source + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +COPY yarn.tar.gz / + +WORKDIR / + +RUN npm install -g yarn.tar.gz --force + + +RUN groupadd -g 1001 heimdall && \ + useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ + mkdir -p /heimdall/logs && \ + mkdir -p /heimdall/file && \ + mkdir -p /heimdall/config && \ + chown -R heimdall:heimdall /heimdall + +WORKDIR /heimdall + +COPY --from=source /app . + +COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +USER heimdall + +HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \ + CMD curl -f http://locahost:3000/server || exit 1 + +EXPOSE 3000 + +CMD ["docker-entrypoint.sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..ff0d868 --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +Licensed under the Apache-2.0 license. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +- Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice. + +- Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution. + +- Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. diff --git a/README.md b/README.md index 5dc6fa6..086e9e5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,47 @@ -# +# MITRE Heimdall2 -Project template for all Iron Bank container repositories. \ No newline at end of file +Given that Heimdall requires at least a database service, we use Docker and Docker Compose to provide a simple deployment experience. + +#### Setup Docker Container (Clean Install) + +1. Install Docker + +2. Download and extract the most recent `docker-compose.yml` and `setup-docker-secrets.sh` from our [releases page](https://github.com/mitre/heimdall2/releases). + +3. Navigate to the base folder where `docker-compose.yml` is located + +4. Run the following commands in a terminal window from the Heimdall source directory. For more information on the .env file, visit [Environment Variables Configuration.](https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration) + - ```bash + ./setup-docker-secrets.sh + # If you would like to further configure your Heimdall instance, edit the .env file generated after running the previous line + docker-compose up -d + ``` + +6. Navigate to [`http://127.0.0.1:3000`](http://127.0.0.1:3000). + +#### Running Docker Container + +Make sure you have run the setup steps at least once before following these steps! + +1. Run the following command in a terminal window: ``docker-compose up -d`` + +2. Go to [`http://127.0.0.1:3000`](http://127.0.0.1:3000) in a web browser. + +#### Updating Docker Container + +A new version of the docker container can be retrieved by running: + +```bash +docker-compose pull +docker-compose up -d +``` + +This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation. + +#### Stopping the Container + +From the source directory you started from run: + +```bash +docker-compose down +``` diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..a4e046f --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "mitre/saf/heimdall2" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "2.4.5" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "opensource/nodejs/nodejs14" + BASE_TAG: "14.16.0" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "heimdall2" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "MITRE Heimdall2 Enterprise Server" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Apache 2" + # URL to find more information on the image + org.opencontainers.image.url: "https://github.com/mitre/heimdall2" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "MITRE" + # Authoritative version of the software + org.opencontainers.image.version: "2.4.5" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "saf" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Heimdall2" + +# List of resources to make available to the offline build context +resources: + # Official source of Yarn + - filename: yarn.tar.gz + url: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz + validation: + type: sha256 + value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e + + # This is the official upstream docker image of Heimdall2 + - tag: mitre/heimdall2:version-2.4.5 + url: docker://docker.io/mitre/heimdall2@sha256:d7646e1630677ebae1025b66620f714368495783d0d0e11fe0a281afb0496790 + +# List of project maintainers +maintainers: +- email: "rbclark@mitre.org" + # The name of the current container owner + name: "Robert Clark" + # The gitlab username of the current container owner + username: "rbclark" diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..21d0d6f --- /dev/null +++ b/renovate.json @@ -0,0 +1,39 @@ +{ + "assignees": [ + "@rbclark" + ], + "baseBranches": [ + "development" + ], + "regexManagers": [{ + "fileMatch": [ + "^Dockerfile$" + ], + "matchStrings": [ + "version=\"(?.*?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "tags:\\s+-\\s+\"(?.+?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + } + ] +} diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh new file mode 100755 index 0000000..74db5f9 --- /dev/null +++ b/scripts/docker-entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +yarn backend sequelize-cli db:migrate +yarn backend sequelize-cli db:seed:all +yarn backend start -- GitLab