From 8308c31997c3928e4f355400b9d66ec43c09c4bd Mon Sep 17 00:00:00 2001 From: Kenneth Maguire Date: Wed, 28 Apr 2021 21:29:14 +0000 Subject: [PATCH 1/9] Add new file --- clamav-whitelist | 1 + 1 file changed, 1 insertion(+) create mode 100644 clamav-whitelist diff --git a/clamav-whitelist b/clamav-whitelist new file mode 100644 index 0000000..adbd76c --- /dev/null +++ b/clamav-whitelist @@ -0,0 +1 @@ +Multios.Trojan.ElectroRAT-9823393-0 -- GitLab From 7a4aed8cfc5ec12e1409cf4709fb69a7b385f410 Mon Sep 17 00:00:00 2001 From: Kenneth Maguire Date: Wed, 28 Apr 2021 21:30:01 +0000 Subject: [PATCH 2/9] Update CODEOWNERS --- .gitlab/CODEOWNERS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS index 64a2c68..74d136c 100644 --- a/.gitlab/CODEOWNERS +++ b/.gitlab/CODEOWNERS @@ -4,3 +4,6 @@ [Gitlab Configuration Files] .gitlab/* @ironbank-notifications/cht + +[ClamAV Whitelist File] +clamav-whitelist @ironbank-security-team -- GitLab From 8ebea62b6e52b758dbd4b360d88a954c5f8a3682 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Wed, 21 Apr 2021 14:58:59 -0400 Subject: [PATCH 3/9] Initial Hardening of Heimdall2 using Heimdall 2.4.5 --- Dockerfile | 36 ++++++++++++++++++++++ LICENSE | 9 ++++++ README.md | 48 +++++++++++++++++++++++++++-- hardening_manifest.yaml | 59 ++++++++++++++++++++++++++++++++++++ renovate.json | 39 ++++++++++++++++++++++++ scripts/docker-entrypoint.sh | 5 +++ 6 files changed, 194 insertions(+), 2 deletions(-) create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 hardening_manifest.yaml create mode 100644 renovate.json create mode 100755 scripts/docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..58a56d0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,36 @@ +ARG BASE_REGISTRY=registry1.dso.mil +ARG BASE_IMAGE=opensource/nodejs/nodejs14 +ARG BASE_TAG=14.16.0 + +FROM mitre/heimdall2:version-2.4.5 AS source + +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +COPY yarn.tar.gz / + +WORKDIR / + +RUN npm install -g yarn.tar.gz --force + + +RUN groupadd -g 1001 heimdall && \ + useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ + mkdir -p /heimdall/logs && \ + mkdir -p /heimdall/file && \ + mkdir -p /heimdall/config && \ + chown -R heimdall:heimdall /heimdall + +WORKDIR /heimdall + +COPY --from=source /app . + +COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +USER heimdall + +HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \ + CMD curl -f http://locahost:3000/server || exit 1 + +EXPOSE 3000 + +CMD ["docker-entrypoint.sh"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..ff0d868 --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +Licensed under the Apache-2.0 license. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +- Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice. + +- Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution. + +- Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. diff --git a/README.md b/README.md index 5dc6fa6..086e9e5 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,47 @@ -# +# MITRE Heimdall2 -Project template for all Iron Bank container repositories. \ No newline at end of file +Given that Heimdall requires at least a database service, we use Docker and Docker Compose to provide a simple deployment experience. + +#### Setup Docker Container (Clean Install) + +1. Install Docker + +2. Download and extract the most recent `docker-compose.yml` and `setup-docker-secrets.sh` from our [releases page](https://github.com/mitre/heimdall2/releases). + +3. Navigate to the base folder where `docker-compose.yml` is located + +4. Run the following commands in a terminal window from the Heimdall source directory. For more information on the .env file, visit [Environment Variables Configuration.](https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration) + - ```bash + ./setup-docker-secrets.sh + # If you would like to further configure your Heimdall instance, edit the .env file generated after running the previous line + docker-compose up -d + ``` + +6. Navigate to [`http://127.0.0.1:3000`](http://127.0.0.1:3000). + +#### Running Docker Container + +Make sure you have run the setup steps at least once before following these steps! + +1. Run the following command in a terminal window: ``docker-compose up -d`` + +2. Go to [`http://127.0.0.1:3000`](http://127.0.0.1:3000) in a web browser. + +#### Updating Docker Container + +A new version of the docker container can be retrieved by running: + +```bash +docker-compose pull +docker-compose up -d +``` + +This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation. + +#### Stopping the Container + +From the source directory you started from run: + +```bash +docker-compose down +``` diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..a4e046f --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "mitre/saf/heimdall2" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dso.mil +tags: +- "2.4.5" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "opensource/nodejs/nodejs14" + BASE_TAG: "14.16.0" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "heimdall2" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "MITRE Heimdall2 Enterprise Server" + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Apache 2" + # URL to find more information on the image + org.opencontainers.image.url: "https://github.com/mitre/heimdall2" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "MITRE" + # Authoritative version of the software + org.opencontainers.image.version: "2.4.5" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "saf" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "opensource" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "Heimdall2" + +# List of resources to make available to the offline build context +resources: + # Official source of Yarn + - filename: yarn.tar.gz + url: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz + validation: + type: sha256 + value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e + + # This is the official upstream docker image of Heimdall2 + - tag: mitre/heimdall2:version-2.4.5 + url: docker://docker.io/mitre/heimdall2@sha256:d7646e1630677ebae1025b66620f714368495783d0d0e11fe0a281afb0496790 + +# List of project maintainers +maintainers: +- email: "rbclark@mitre.org" + # The name of the current container owner + name: "Robert Clark" + # The gitlab username of the current container owner + username: "rbclark" diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..21d0d6f --- /dev/null +++ b/renovate.json @@ -0,0 +1,39 @@ +{ + "assignees": [ + "@rbclark" + ], + "baseBranches": [ + "development" + ], + "regexManagers": [{ + "fileMatch": [ + "^Dockerfile$" + ], + "matchStrings": [ + "version=\"(?.*?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + }, + { + "fileMatch": [ + "^hardening_manifest.yaml$" + ], + "matchStrings": [ + "tags:\\s+-\\s+\"(?.+?)\"" + ], + "depNameTemplate": "mitre/heimdall2", + "datasourceTemplate": "docker" + } + ] +} diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh new file mode 100755 index 0000000..74db5f9 --- /dev/null +++ b/scripts/docker-entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh +set -e +yarn backend sequelize-cli db:migrate +yarn backend sequelize-cli db:seed:all +yarn backend start -- GitLab From fdd70fecefdbce9e489c1f20cac3b470bd0753fe Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Mon, 3 May 2021 16:50:18 -0400 Subject: [PATCH 4/9] Fix BASE_IMAGE path for local builds --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 58a56d0..126d3e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ ARG BASE_REGISTRY=registry1.dso.mil -ARG BASE_IMAGE=opensource/nodejs/nodejs14 +ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 ARG BASE_TAG=14.16.0 FROM mitre/heimdall2:version-2.4.5 AS source -- GitLab From 20496b81a3dd1bd3831e3519aa3ef1da05b3ceb8 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Tue, 4 May 2021 10:27:22 -0400 Subject: [PATCH 5/9] Run as root to setup yarn and add the heimdall user and group --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 126d3e4..33d9524 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,8 +10,9 @@ COPY yarn.tar.gz / WORKDIR / -RUN npm install -g yarn.tar.gz --force +USER root +RUN npm install -g yarn.tar.gz --force RUN groupadd -g 1001 heimdall && \ useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ -- GitLab From 0135edef2e48c617509b50ba3ea48b3267b33f14 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Tue, 4 May 2021 10:29:20 -0400 Subject: [PATCH 6/9] Fix uid and gid conflict --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 33d9524..4d8abc9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,8 +14,8 @@ USER root RUN npm install -g yarn.tar.gz --force -RUN groupadd -g 1001 heimdall && \ - useradd -r -u 1001 -m -s /sbin/nologin -g heimdall heimdall && \ +RUN groupadd -g 1002 heimdall && \ + useradd -r -u 1002 -m -s /sbin/nologin -g heimdall heimdall && \ mkdir -p /heimdall/logs && \ mkdir -p /heimdall/file && \ mkdir -p /heimdall/config && \ -- GitLab From 2df09749128d9eaf617a54c06bc5a2d28cbf8678 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Wed, 19 May 2021 09:19:29 -0400 Subject: [PATCH 7/9] Upgrade to Heimdall 2.4.6 --- Dockerfile | 4 ++-- hardening_manifest.yaml | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4d8abc9..9f5ed41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,8 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 -ARG BASE_TAG=14.16.0 +ARG BASE_TAG=14.17.0 -FROM mitre/heimdall2:version-2.4.5 AS source +FROM mitre/heimdall2:version-2.4.6 AS source FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index a4e046f..8cdb0c6 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,13 +8,13 @@ name: "mitre/saf/heimdall2" # The most specific version should be the first tag and will be shown # on ironbank.dso.mil tags: -- "2.4.5" +- "2.4.6" - "latest" # Build args passed to Dockerfile ARGs args: BASE_IMAGE: "opensource/nodejs/nodejs14" - BASE_TAG: "14.16.0" + BASE_TAG: "14.17.0" # Docker image labels labels: @@ -29,7 +29,7 @@ labels: # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "MITRE" # Authoritative version of the software - org.opencontainers.image.version: "2.4.5" + org.opencontainers.image.version: "2.4.6" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "saf" # This value can be "opensource" or "commercial" @@ -47,8 +47,8 @@ resources: value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e # This is the official upstream docker image of Heimdall2 - - tag: mitre/heimdall2:version-2.4.5 - url: docker://docker.io/mitre/heimdall2@sha256:d7646e1630677ebae1025b66620f714368495783d0d0e11fe0a281afb0496790 + - tag: mitre/heimdall2:version-2.4.6 + url: docker://docker.io/mitre/heimdall2@sha256:9253d4cbb8ee6a08147e0bb4ce2b87232719cca73014fb367e6925d3e481e00c # List of project maintainers maintainers: -- GitLab From 49788b1a1456db9282f5d16c102e12d377a83710 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Fri, 28 May 2021 12:37:22 -0400 Subject: [PATCH 8/9] Upgrade to Heimdall 2.4.7 --- Dockerfile | 2 +- hardening_manifest.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9f5ed41..1b4b792 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 ARG BASE_TAG=14.17.0 -FROM mitre/heimdall2:version-2.4.6 AS source +FROM mitre/heimdall2:version-2.4.7 AS source FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 8cdb0c6..2455616 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "mitre/saf/heimdall2" # The most specific version should be the first tag and will be shown # on ironbank.dso.mil tags: -- "2.4.6" +- "2.4.7" - "latest" # Build args passed to Dockerfile ARGs @@ -29,7 +29,7 @@ labels: # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "MITRE" # Authoritative version of the software - org.opencontainers.image.version: "2.4.6" + org.opencontainers.image.version: "2.4.7" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "saf" # This value can be "opensource" or "commercial" @@ -47,8 +47,8 @@ resources: value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e # This is the official upstream docker image of Heimdall2 - - tag: mitre/heimdall2:version-2.4.6 - url: docker://docker.io/mitre/heimdall2@sha256:9253d4cbb8ee6a08147e0bb4ce2b87232719cca73014fb367e6925d3e481e00c + - tag: mitre/heimdall2:version-2.4.7 + url: docker://docker.io/mitre/heimdall2@sha256:c02dfe81c286fb16142e92912c0ae0d67c22748304d591b893361c48c549107a # List of project maintainers maintainers: -- GitLab From a5f47e780216d56bbcc66f497c7da82f3f409121 Mon Sep 17 00:00:00 2001 From: Robert Clark Date: Tue, 1 Jun 2021 17:41:36 -0400 Subject: [PATCH 9/9] Upgrade to Heimdall 2.4.8, container cleanup The latest upstream version of Heimdall removes all of the build dependencies from the production container. This should significantly reduce the findings on this container. Additionally, this fixes an issue where the Ironbank version of the container would not start properly due to NPM creating a folder at `/home/node/.config` which was owned by root which was causing errors when running as the Heimdall user. Instead of using the Heimdall user, this container is now using the node user that comes with it. --- Dockerfile | 16 ++++++---------- hardening_manifest.yaml | 8 ++++---- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1b4b792..452580e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14 ARG BASE_TAG=14.17.0 -FROM mitre/heimdall2:version-2.4.7 AS source +FROM mitre/heimdall2:2.4.8 AS source FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} @@ -12,14 +12,7 @@ WORKDIR / USER root -RUN npm install -g yarn.tar.gz --force - -RUN groupadd -g 1002 heimdall && \ - useradd -r -u 1002 -m -s /sbin/nologin -g heimdall heimdall && \ - mkdir -p /heimdall/logs && \ - mkdir -p /heimdall/file && \ - mkdir -p /heimdall/config && \ - chown -R heimdall:heimdall /heimdall +RUN NO_UPDATE_NOTIFIER=true npm install -g yarn.tar.gz --force WORKDIR /heimdall @@ -27,7 +20,10 @@ COPY --from=source /app . COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh -USER heimdall +# Not necessary for normal operation and the trigger scan warnings on IronBank. +RUN rm -rf /heimdall/apps/backend/node_modules/webfinger/test + +USER node HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \ CMD curl -f http://locahost:3000/server || exit 1 diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 2455616..7df996a 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "mitre/saf/heimdall2" # The most specific version should be the first tag and will be shown # on ironbank.dso.mil tags: -- "2.4.7" +- "2.4.8" - "latest" # Build args passed to Dockerfile ARGs @@ -29,7 +29,7 @@ labels: # Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "MITRE" # Authoritative version of the software - org.opencontainers.image.version: "2.4.7" + org.opencontainers.image.version: "2.4.8" # Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "saf" # This value can be "opensource" or "commercial" @@ -47,8 +47,8 @@ resources: value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e # This is the official upstream docker image of Heimdall2 - - tag: mitre/heimdall2:version-2.4.7 - url: docker://docker.io/mitre/heimdall2@sha256:c02dfe81c286fb16142e92912c0ae0d67c22748304d591b893361c48c549107a + - tag: mitre/heimdall2:2.4.8 + url: docker://docker.io/mitre/heimdall2@sha256:fe28f450161935947b219d81aa04cd1cdb1aac02b139f6e139d085a7dee6ef2c # List of project maintainers maintainers: -- GitLab