From 8ebea62b6e52b758dbd4b360d88a954c5f8a3682 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Wed, 21 Apr 2021 14:58:59 -0400 Subject: [PATCH 1/4] Initial Hardening of Heimdall2 using Heimdall 2.4.5 --- Dockerfile | 36 ++++++++++++++++++++++ LICENSE | 9 ++++++ README.md | 48 +++++++++++++++++++++++++++-- hardening_manifest.yaml | 59 ++++++++++++++++++++++++++++++++++++ renovate.json | 39 ++++++++++++++++++++++++ scripts/docker-entrypoint.sh | 5 +++ 6 files changed, 194 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 hardening_manifest.yaml create mode 100644 renovate.json create mode 100755 scripts/docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..58a56d0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,36 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=opensource/nodejs/nodejs14 +ARG BASE_TAG=14.16.0 + +FROM mitre/heimdall2:version-2.4.5 AS source + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +COPY yarn.tar.gz / + +WORKDIR / + +RUN npm install -g yarn.tar.gz --force + + +RUN groupadd -g 1001 heimdall && \ + useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ + mkdir -p /heimdall/logs && \ + mkdir -p /heimdall/file && \ + mkdir -p /heimdall/config && \ + chown -R heimdall:heimdall /heimdall + +WORKDIR /heimdall + +COPY --from=source /app . + +COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +USER heimdall + +HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \ + CMD curl -f http://locahost:3000/server || exit 1 + +EXPOSE 3000 + +CMD ["docker-entrypoint.sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..ff0d868 --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +Licensed under the Apache-2.0 license. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +- Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice. + +- Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution. + +- Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. diff --git a/README.md b/README.md index 5dc6fa6..086e9e5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,47 @@ -# +# MITRE Heimdall2 -Project template for all Iron Bank container repositories. \ No newline at end of file +Given that Heimdall requires at least a database service, we use Docker and Docker Compose to provide a simple deployment experience. + +#### Setup Docker Container (Clean Install) + +1. Install Docker + +2. Download and extract the most recent `docker-compose.yml` and `setup-docker-secrets.sh` from our [releases page](https://github.com/mitre/heimdall2/releases). + +3. Navigate to the base folder where `docker-compose.yml` is located + +4. Run the following commands in a terminal window from the Heimdall source directory. For more information on the .env file, visit [Environment Variables Configuration.](https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration) + - ```bash + ./setup-docker-secrets.sh + # If you would like to further configure your Heimdall instance, edit the .env file generated after running the previous line + docker-compose up -d + ``` + +6. Navigate to [`http://127.0.0.1:3000`](http://127.0.0.1:3000). + +#### Running Docker Container + +Make sure you have run the setup steps at least once before following these steps! + +1. Run the following command in a terminal window: ``docker-compose up -d`` + +2. Go to [`http://127.0.0.1:3000`](http://127.0.0.1:3000) in a web browser. + +#### Updating Docker Container + +A new version of the docker container can be retrieved by running: + +```bash +docker-compose pull +docker-compose up -d +``` + +This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation. + +#### Stopping the Container + +From the source directory you started from run: + +```bash +docker-compose down +``` diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..a4e046f --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "mitre/saf/heimdall2" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "2.4.5" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "opensource/nodejs/nodejs14" + BASE_TAG: "14.16.0" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "heimdall2" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "MITRE Heimdall2 Enterprise Server" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Apache 2" + # URL to find more information on the image + org.opencontainers.image.url: "https://github.com/mitre/heimdall2" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "MITRE" + # Authoritative version of the software + org.opencontainers.image.version: "2.4.5" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "saf" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Heimdall2" + +# List of resources to make available to the offline build context +resources: + # Official source of Yarn + - filename: yarn.tar.gz + url: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz + validation: + type: sha256 + value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e + + # This is the official upstream docker image of Heimdall2 + - tag: mitre/heimdall2:version-2.4.5 + url: docker://docker.io/mitre/heimdall2@sha256:d7646e1630677ebae1025b66620f714368495783d0d0e11fe0a281afb0496790 + +# List of project maintainers +maintainers: +- email: "rbclark@mitre.org" + # The name of the current container owner + name: "Robert Clark" + # The gitlab username of the current container owner + username: "rbclark" diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..21d0d6f --- /dev/null +++ b/renovate.json @@ -0,0 +1,39 @@ +{ + "assignees": [ + "@rbclark" + ], + "baseBranches": [ + "development" + ], + "regexManagers": [{ + "fileMatch": [ + "^Dockerfile$" + ], + "matchStrings": [ + "version=\"(?.*?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "tags:\\s+-\\s+\"(?.+?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + } + ] +} diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh new file mode 100755 index 0000000..74db5f9 --- /dev/null +++ b/scripts/docker-entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +yarn backend sequelize-cli db:migrate +yarn backend sequelize-cli db:seed:all +yarn backend start -- GitLab From fdd70fecefdbce9e489c1f20cac3b470bd0753fe Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Mon, 3 May 2021 16:50:18 -0400 Subject: [PATCH 2/4] Fix BASE_IMAGE path for local builds --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 58a56d0..126d3e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ ARG BASE_REGISTRY=registry1.dso.mil -ARG BASE_IMAGE=opensource/nodejs/nodejs14 +ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 ARG BASE_TAG=14.16.0 FROM mitre/heimdall2:version-2.4.5 AS source -- GitLab From 20496b81a3dd1bd3831e3519aa3ef1da05b3ceb8 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Tue, 4 May 2021 10:27:22 -0400 Subject: [PATCH 3/4] Run as root to setup yarn and add the heimdall user and group --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 126d3e4..33d9524 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,8 +10,9 @@ COPY yarn.tar.gz / WORKDIR / -RUN npm install -g yarn.tar.gz --force +USER root +RUN npm install -g yarn.tar.gz --force RUN groupadd -g 1001 heimdall && \ useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ -- GitLab From 0135edef2e48c617509b50ba3ea48b3267b33f14 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Tue, 4 May 2021 10:29:20 -0400 Subject: [PATCH 4/4] Fix uid and gid conflict --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 33d9524..4d8abc9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ USER root RUN npm install -g yarn.tar.gz --force -RUN groupadd -g 1001 heimdall && \ - useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ +RUN groupadd -g 1002 heimdall && \ + useradd -r -u 1002 -m -s /sbin/nologin -g heimdall heimdall && \ mkdir -p /heimdall/logs && \ mkdir -p /heimdall/file && \ mkdir -p /heimdall/config && \ -- GitLab