diff --git a/README.md b/README.md index ead3e1a..f8f6248 100644 --- a/README.md +++ b/README.md @@ -23,88 +23,23 @@ Available on [Quay](https://quay.io) as: ## Features * Super tiny (`glibc`-based is `~13.2MB` and `musl`-based is `~12.5MB`) -* Built from source, including libraries -* Built `FROM scratch`, see the [Filesystem](#filesystem) section below for an exhaustive list of the image's contents -* Reduced attack surface (no `bash`, no UNIX tools, no package manager...) -* Built with exploit mitigations enabled (see [Security](#security)) +* Compiled from source during build time +* Built `FROM scratch`, see [Filesystem](#filesystem) for an exhaustive list of the image's contents +* Reduced attack surface (no shell, no UNIX tools, no package manager...) +* Built with binary exploit mitigations enabled ## Configuration ### Volumes -- Bind your **configuration file** at `/etc/nginx/nginx.conf`. +- Bind your **configuration** at `/etc/nginx/nginx.conf`. ## Building -To build the `glibc`-based image: - -```bash -docker build -t nginx:glibc -f glibc/Dockerfile . -``` - -To build the `musl`-based image: - -```bash -docker build -t nginx:musl -f musl/Dockerfile . -``` - - -## Security - -This image attempts to build a secure NGINX container image. - -It does so by the following ways: - -- downloading and verifying the source code of NGINX and every library it is built with, -- packaging the image with only those files required during runtime (see [Filesystem](#filesystem)), -- by enforcing a series of exploit mitigations (PIE, full RELRO, full SSP, NX and Fortify) - -### Verifying the presence of exploit mitigations - -To check whether a binary in a container image has those mitigations enabled, use [tests/checksec.sh](https://github.com/ricardbejarano/nginx/blob/master/tests/checksec.sh). - -#### Usage - -``` -usage: checksec.sh docker_image executable_path - -Container-based wrapper for checksec.sh. -Requires a running Docker daemon. - -Example: - - $ checksec.sh ricardbejarano/nginx:glibc /nginx - - Extracts the '/nginx' binary from the 'ricardbejarano/nginx:glibc' image, - downloads checksec (github.com/slimm609/checksec.sh) and runs it on the - binary. - Everything runs inside containers. -``` - -#### Example: - -Testing the `/nginx` binary in `ricardbejarano/nginx:glibc`: - -``` -$ bash tests/checksec.sh ricardbejarano/nginx:glibc /nginx -Downloading ricardbejarano/nginx:glibc...Done! -Extracting ricardbejarano/nginx:glibc:/nginx...Done! -Downloading checksec.sh...Done! -Running checksec.sh: -RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE -Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 11570 Symbols Yes 0 34 /tmp/.checksec-ui8eKi3Q -Cleaning up...Done! -``` - -This wrapper script works with any binary in a container image. Feel free to use it with any other image. - -Other examples: - -- `bash tests/checksec.sh debian /bin/bash` -- `bash tests/checksec.sh alpine /bin/sh` -- `bash tests/checksec.sh nginx /usr/sbin/nginx` +- To build the `glibc`-based image: `$ docker build -t nginx:glibc -f glibc/Dockerfile .` +- To build the `musl`-based image: `$ docker build -t nginx:musl -f musl/Dockerfile .` ## Filesystem diff --git a/tests/checksec.sh b/tests/checksec.sh deleted file mode 100644 index 850977c..0000000 --- a/tests/checksec.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -usage() { - echo "usage: checksec.sh docker_image executable_path" - echo "" - echo "Container-based wrapper for checksec.sh." - echo "Requires a running Docker daemon." - echo "" - echo "Example:" - echo "" - echo " $ checksec.sh ricardbejarano/nginx:glibc /nginx" - echo "" - echo " Extracts the '/nginx' binary from the 'ricardbejarano/nginx:glibc' image," - echo " downloads checksec (github.com/slimm609/checksec.sh) and runs it on the" - echo " binary." - echo " Everything runs inside containers." - exit 1 -} - -checksec() { - printf "Downloading %s..." "$1" - docker pull "$1" >/dev/null - echo "Done!" - - printf "Extracting %s:%s..." "$1" "$2" - image_container="$(docker create "$1")" - executable_file="$(mktemp .checksec-XXXXXXXX)" - docker cp "$image_container":"$2" "$executable_file" - docker rm "$image_container" >/dev/null - echo "Done!" - - printf "Downloading checksec.sh..." - docker run \ - --interactive \ - --tty \ - --rm \ - --volume "$PWD/$executable_file:/tmp/$executable_file" \ - debian \ - bash \ - -c "\ - apt update &>/dev/null && \ - apt install -y curl file procps binutils openssl &>/dev/null && \ - curl \ - --silent \ - --show-error \ - --output /bin/checksec \ - https://raw.githubusercontent.com/slimm609/checksec.sh/b8231ce02c0b20ace7ab6ea0bc1a5e4a1b497212/checksec && \ - chmod +x /bin/checksec && \ - echo 'Done!' && \ - echo 'Running checksec.sh:' && \ - checksec -f /tmp/$executable_file" - - printf "Cleaning up..." - rm -f "$executable_file" - echo "Done!" - - exit 0 -} - -if [ -z "$2" ]; then usage; fi -checksec "$1" "$2"