diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS new file mode 100644 index 0000000000000000000000000000000000000000..64a2c68c3ababda8d526d6cd995f02cd36f837ab --- /dev/null +++ b/.gitlab/CODEOWNERS @@ -0,0 +1,6 @@ +[Pipelines] +.gitlab-ci.yml @ironbank-notifications/cht +.gitlab-ci.yaml @ironbank-notifications/cht + +[Gitlab Configuration Files] +.gitlab/* @ironbank-notifications/cht diff --git a/.gitlab/issue_templates/Access Request.md b/.gitlab/issue_templates/Access Request.md new file mode 100644 index 0000000000000000000000000000000000000000..1a7b224d6ccdad95fef69b5c8be1ce2b543f338e --- /dev/null +++ b/.gitlab/issue_templates/Access Request.md @@ -0,0 +1,16 @@ +## Summary + +The following individuals are requesting access to this project (one per line): +(List or tag all individuals here) + + +The access level should be: +- [ ] Developer access +- [ ] Remove access + + +## Definition of Done +- [ ] All accounts have been provided the necessary accesses + + +/label ~"Access" ~"To Do" \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Archive.md b/.gitlab/issue_templates/Application - Archive.md new file mode 100644 index 0000000000000000000000000000000000000000..9f3b5fe4d8d43ae9f82411a391b200d4b43f2668 --- /dev/null +++ b/.gitlab/issue_templates/Application - Archive.md @@ -0,0 +1,21 @@ +## Summary + +Requesting this application be archived due to one of the following reasons: +- [ ] Version is no longer supported by vendor +- [ ] Application is End-Of-Life +- [ ] License violation. +- [ ] Other. See below. + +## Detailed Description + +(Please provide a detailed description of why this application should be archived) + + +## Definition of Done +- [ ] Application has been reviewed for archival +- [ ] Project is officially marked as stale +- [ ] Iron Bank frontend no longer lists application as available or approved + + +/label ~"Container::Archive" +/cc @ironbank-notifications/archive \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md new file mode 100644 index 0000000000000000000000000000000000000000..6594a0580b941815c0c7c6264cdfc42e28231f57 --- /dev/null +++ b/.gitlab/issue_templates/Application - Initial.md @@ -0,0 +1,32 @@ +## Summary + +Requesting application to be hardened. This is only for initial hardening of a container. + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Greylist file has been created (requires a member from container hardening) +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process (container hardening team processes): +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Initial" +/cc @ironbank-notifications/cht \ No newline at end of file diff --git a/.gitlab/issue_templates/Application - Update.md b/.gitlab/issue_templates/Application - Update.md new file mode 100644 index 0000000000000000000000000000000000000000..caebb3e9aab279c7f109ec0fbfa246b8add6d972 --- /dev/null +++ b/.gitlab/issue_templates/Application - Update.md @@ -0,0 +1,35 @@ +## Summary + +Requesting application be updated to a newer version. + + + +## Version Information + +Current version: (State the current version of the application as you see it) + +Updated version: (State the version you would like the application updated to) + +Under support: (Is the updated version within the same major version of the application or is this a new major version?) + + +## Definition of Done +Hardening: +- [ ] Container builds successfully +- [ ] Container version has been updated in greylist file +- [ ] Branch has been merged into `development` + +Justifications: +- [ ] All findings have been justified per the above documentation +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Peer review from Container Hardening Team +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::Update" +/cc @ironbank-notifications/updates \ No newline at end of file diff --git a/.gitlab/issue_templates/Bug.md b/.gitlab/issue_templates/Bug.md new file mode 100644 index 0000000000000000000000000000000000000000..1427a0caed1833bccd3b1e5f8c5f6eafde05266c --- /dev/null +++ b/.gitlab/issue_templates/Bug.md @@ -0,0 +1,37 @@ +## Summary + +(Summarize the bug encountered concisely) + + +## Steps to reproduce + +(How one can reproduce the issue - this is very important) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Relevant logs and/or screenshots + +(Paste any relevant logs - please use code blocks (```) to format console output, +logs, and code as it's very hard to read otherwise.) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Defintion of Done +- [ ] Bug has been identified and corrected within the container + + +/label ~Bug +/cc @ironbank-notifications/bug \ No newline at end of file diff --git a/.gitlab/issue_templates/Feature Request.md b/.gitlab/issue_templates/Feature Request.md new file mode 100644 index 0000000000000000000000000000000000000000..a0e2f195dc66e4187264381c5e96e8aa96db8a09 --- /dev/null +++ b/.gitlab/issue_templates/Feature Request.md @@ -0,0 +1,32 @@ +## Feature description + +(Detailed description of the feature being requested) + + +## Use cases + + +(Detailed description of the use case for this feature) + + +## Benefits + +(How does this benefit others) + + +## Requirements + +(Any requirements for this feature to be enabled?) + + +## Links / references + +(List of links or references that support this feature) + + +## Definition of Done +- [ ] Feature has been implemented + + +/label ~Feature +/cc @ironbank-notifications/feature \ No newline at end of file diff --git a/.gitlab/issue_templates/Leadership Question.md b/.gitlab/issue_templates/Leadership Question.md new file mode 100644 index 0000000000000000000000000000000000000000..4674f82f930085f34f51b4ecbb4d396519f53192 --- /dev/null +++ b/.gitlab/issue_templates/Leadership Question.md @@ -0,0 +1,7 @@ +## Leadership question + +(Detailed description of the question you'd like to ask the leadership team) + + +/label ~"Question::Leadership" ~"To Do" +/cc @ironbank-notifications/leadership \ No newline at end of file diff --git a/.gitlab/issue_templates/New Findings.md b/.gitlab/issue_templates/New Findings.md new file mode 100644 index 0000000000000000000000000000000000000000..068d029d89cb62dd4d4da5e03924c608172d97d6 --- /dev/null +++ b/.gitlab/issue_templates/New Findings.md @@ -0,0 +1,20 @@ +## Summary + +Container has new findings discovered during continuous monitoring. + + + +## Definition of Done +Justifications: +- [ ] All findings have been justified +- [ ] Justifications have been provided to the container hardening team + +Approval Process: +- [ ] Findings Approver has reviewed and approved all justifications +- [ ] Approval request has been sent to Authorizing Official +- [ ] Approval request has been processed by Authorizing Official + + + +/label ~"Container::New Findings" +/cc @ironbank-notifications/security \ No newline at end of file diff --git a/.gitlab/issue_templates/Onboarding Question.md b/.gitlab/issue_templates/Onboarding Question.md new file mode 100644 index 0000000000000000000000000000000000000000..77dea11e56c87d3fb65a1cf2ce7901621058f970 --- /dev/null +++ b/.gitlab/issue_templates/Onboarding Question.md @@ -0,0 +1,7 @@ +## Onboarding question + +(Detailed description of the question you'd like to ask the onboarding team) + + +/label ~"Question::Onboarding" ~"To Do" +/cc @ironbank-notifications/onboarding \ No newline at end of file diff --git a/.gitlab/issue_templates/Pipeline Failure.md b/.gitlab/issue_templates/Pipeline Failure.md new file mode 100644 index 0000000000000000000000000000000000000000..28b82a9454358a542efaa4b9c1c99542e3487fd6 --- /dev/null +++ b/.gitlab/issue_templates/Pipeline Failure.md @@ -0,0 +1,31 @@ +## Summary + +(Summarize the pipeline issue encountered concisely) + + +## Link to failed pipeline + +(Link to the failed pipeline) + + +## What is the current bug behavior? + +(What actually happens) + + +## What is the expected correct behavior? + +(What you should see instead) + + +## Possible fixes + +(If you can, link to the line of code that might be responsible for the problem) + + +## Definition of Done +- [ ] Pipeline failure has been resolved + + +/label ~Pipeline +/cc @ironbank-notifications/pipelines \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e4d53bf4cca97a9f86e59531a868298e7db8151b..9e0ebbb5f8ef5e2d13b25a7a8ad39941f20bb6e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/opensource/nginx/nginx ARG BASE_TAG=1.19.2 @@ -6,47 +6,41 @@ ARG BASE_TAG=1.19.2 # Down with the bloat FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} as extractor -ARG jitt_version=5.6.33 +ARG jitt_version=5.10.27 COPY /jitt-${jitt_version}.tar.gz / USER root -RUN mkdir -p /jitt \ - && tar -zxf /jitt-${jitt_version}.tar.gz -C /jitt +RUN mkdir --parents /jitt \ + && tar --extract --gzip --file=/jitt-${jitt_version}.tar.gz --directory=/jitt FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -ARG jitt_version=5.6.33 -ENV VENDOR=security-compass -LABEL name="SD Elements Just In Time Training (JITT) Container" \ - maintainer="devops-support@securitycompass.com" \ - vendor="Security Compass Ltd." \ - version="${jitt_version}" \ - release='1' \ - summary="SD Elements Automatically Builds In And Enables Compliance Throughout The Software Lifecycle." \ - description="SD Elements automatically identifies and classifies risks and translates complex requirements into actionable tasks that are assigned to your personnel to improve your security posture. It automates Risk Assessments, Threat Modeling, Secure Development, and Regulatory Compliance - at scale." +ARG jitt_version=5.10.27 + +LABEL type="ironbank" USER root RUN set -x \ - && dnf -y upgrade \ - && dnf -y install gettext \ + && dnf --assumeyes upgrade \ + && dnf --assumeyes install gettext \ && dnf clean all \ - && mkdir -p /var/nginx/proxy_temp \ - && mkdir -p /var/nginx/client_body_temp \ + && mkdir --parents /var/nginx/proxy_temp \ + && mkdir --parents /var/nginx/client_body_temp \ && chown nginx:root /var/nginx/proxy_temp \ && chown nginx:root /var/nginx/client_body_temp \ - && rm -f /etc/nginx/conf.d/* \ - && rm -f /etc/nginx/nginx.conf \ - && rm -f /var/log/nginx/access.log \ - && rm -f /var/log/nginx/error.log \ + && rm --force /etc/nginx/conf.d/* \ + && rm --force /etc/nginx/nginx.conf \ + && rm --force /var/log/nginx/access.log \ + && rm --force /var/log/nginx/error.log \ && groupadd --gid 49 www-data \ && usermod nginx --groups www-data \ && mkdir --mode 2775 --parents /etc/nginx /var/log/nginx /var/cache/nginx \ - ; chown --recursive www-data:www-data /etc/nginx \ - ; find /etc/nginx/ -type d -exec chmod g+rwx {} \; \ - ; chown --recursive nginx:www-data /var/log/nginx /var/cache/nginx + && chown --recursive nginx:www-data /etc/nginx \ + && find /etc/nginx/ -type d -exec chmod g+rwx {} \; \ + && chown --recursive nginx:www-data /var/log/nginx /var/cache/nginx COPY --from=extractor /jitt /jitt/ COPY /scripts/rtenvsub.sh /bin/rtenvsub.sh diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 1f9f45ac91ecd5e0f13f00cb0f27d9235fdcd78e..0000000000000000000000000000000000000000 --- a/Jenkinsfile +++ /dev/null @@ -1,2 +0,0 @@ -@Library('DCCSCR@master') _ -dccscrPipeline(version: "5.6.33") diff --git a/README.md b/README.md index 3b0a85cb8d65b2c5fd6ce1283bd2a21c7ac124ad..03679e5142ca52e835e8e3082c6d0c62b6ca3bcd 100644 --- a/README.md +++ b/README.md @@ -7,29 +7,19 @@ This container hosts SDElements Just In Time Training (JITT) content using Nginx ## Local build -1. Download NGINX version 1.19.0 as a tarball from `https://dcar.dsop.io/repomap/opensource/nginx/nginx`. For this example, we will use `nginx-1.19.0.tar` as the file downloaded. - - Load the tarball into docker - - ```bash - docker load -i nginx-1.19.0.tar - ``` - -2. Download the memcached tarball defined in `download.yaml`. The URL below is used as an example. Note -the version of memcached, in this case `5.6.33` +1. Download the memcached tarball defined in `download.yaml`. The URL below is used as an example. Note +the version of memcached, in this case `5.10.27` ```bash - wget --http-user=user --ask-password https://tar.sdelements.com/pulp/isos/Default_Organization/Library/custom/sde/SDElements_Dependency_RPMs/jitt-5.6.33.tar.gz + wget --http-user=user --ask-password https://tar.sdelements.com/pulp/isos/Default_Organization/Library/custom/sde/SDElements_Dependency_RPMs/jitt-5.10.27.tar.gz ``` -3. Use this command to build locally: +2. Use this command to build locally: ```bash - export jitt_version='5.6.33' && \ + clear && \ + export jitt_version='5.10.27' && \ docker build . -t localhost/security-compass/jitt/nginx-jitt:"local" \ - --build-arg BASE_REGISTRY="registry1.dsop.io" \ - --build-arg BASE_IMAGE="ironbank/opensource/nginx/nginx" \ - --build-arg BASE_TAG="1.19.2" --build-arg jitt_version="${jitt_version}" ``` diff --git a/download.yaml b/download.yaml deleted file mode 100644 index 93bc8daaaacf5a5fe87019138b3783a5f0b0bbed..0000000000000000000000000000000000000000 --- a/download.yaml +++ /dev/null @@ -1,9 +0,0 @@ -resources: - - url: "https://tar.sdelements.com/pulp/isos/Default_Organization/Library/custom/sde/SDElements_Dependency_RPMs/jitt-5.6.33.tar.gz" - filename: "jitt-5.6.33.tar.gz" - validation: - type: sha256 - value: "472ad942998b0a444e51637ccf8bda039c475ee4f0bccc714bd620485bb2d631" - auth: - type: "basic" - id: "scompass-credential" diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000000000000000000000000000000000000..8fe81e64e948be029272a6480eff25b5e51c4906 --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: v1 + +# The repository name in registry1, excluding /ironbank/ +name: "security-compass/jitt/nginx" + +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: +- "5.10.27" +- "latest" + +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "opensource/nginx/nginx" + BASE_TAG: "1.19.2" + +# Docker image labels +labels: + # Name of the image + org.opencontainers.image.title: "nginx" + # Human-readable description of the software packaged in the image + org.opencontainers.image.description: "SD Elements automatically identifies and classifies risks and translates complex requirements into actionable tasks that are assigned to your personnel to improve your security posture. It automates Risk Assessments, Threat Modeling, Secure Development, and Regulatory Compliance - at scale." + # License(s) under which contained software is distributed + org.opencontainers.image.licenses: "Commercial" + # URL to find more information on the image + org.opencontainers.image.url: "https://docs.sdelements.com" + # Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Security Compass Ltd." + # Authoritative version of the software + org.opencontainers.image.version: "12.5" + # Keywords to help with search (ex. "cicd,gitops,golang") + mil.dso.ironbank.image.keywords: "nginx,webserver,jitt,training,security,appsec,code,secure" + # This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + # Product the image belongs to for grouping multiple images + mil.dso.ironbank.product.name: "security-compass/jitt" + +# List of resources to make available to the offline build context +resources: + - url: "https://tar.sdelements.com/pulp/isos/Default_Organization/Library/custom/sde/SDElements_Dependency_RPMs/jitt-5.10.27.tar.gz" + filename: "jitt-5.10.27.tar.gz" + validation: + type: sha256 + value: "0d8b0a681b56375e7943c050564cf55b15148320064b59d91307f4c0a234a2d0" + auth: + type: "basic" + id: "scompass-credential" + +# List of project maintainers +maintainers: +- name: "Hrdayesh Patel" + username: "hpatel" + email: "hpatel@securitycompass.com" +- name: "Matthew Chum" + username: "mchum" + email: "mchum@securitycompass.com" diff --git a/scripts/rtenvsub.sh b/scripts/rtenvsub.sh index 3377536042931a91b3910052bf05a9a04e7ebdd4..5ef3f8c1e68cb3fab67970f1c647167ee37455c6 100755 --- a/scripts/rtenvsub.sh +++ b/scripts/rtenvsub.sh @@ -256,7 +256,7 @@ function inotify_looper { echo "Filesystem object removed from source, removing from mirror" echo "Source: ${fs_object} Pipe: ${mirror_object}" if [ -f "${fs_object}" ] ; then - rm -f "${mirror_object}" + rm --force "${mirror_object}" elif [ -d "${fs_object}" ] ; then rmdir "${mirror_object}" fi @@ -324,7 +324,7 @@ function mirror_envsubst_paths { else for file in "${files[@]:-}"; do if ${dev_mode} ; then - add_on_sig "rm -f ${destination}${file#${full_path}}" + add_on_sig "rm --force ${destination}${file#${full_path}}" fi if ${nofifo} ; then render_file "${destination}" "${file}" "${full_path}" diff --git a/scripts/run_nginx.sh b/scripts/run_nginx.sh index 9ac6af8574e02ddf2ec85613b5f3c27ecb681fbd..4d30faf2154f47b8bdc6eb3e5b02a4e0ddc88c26 100755 --- a/scripts/run_nginx.sh +++ b/scripts/run_nginx.sh @@ -24,8 +24,7 @@ version='0.0.2' # Import the shell standard library source /bin/shtdlib_dccscr.sh - -# Dynamically figure add resolvers for nginx +# Dynamically add resolvers for nginx export NAMESERVERS="resolver $(grep nameserver /etc/resolv.conf | awk '{print $2}') valid=10s;" # Create config files @@ -40,5 +39,4 @@ done # Run nginx echo 'Starting nginx' -/usr/sbin/nginx -g 'daemon off;' || exit_on_fail -echo "Nginx exited with return code: ${?}" +exec /usr/sbin/nginx -g 'daemon off;' \ No newline at end of file