Fijxu/nginx-ktls
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

removed checksec.sh, fix README accordinglyc

Browse source
This commit is contained in:
Ricard Bejarano 2019-06-19 08:42:59 +02:00
parent 72b7357421
commit b5462191a3
No known key found for this signature in database
GPG key ID: 5A5105DD6B91CA19
2 changed files with 7 additions and 133 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
README.md
View file

@ -23,88 +23,23 @@ Available on [Quay](https://quay.io) as:
## Features ## Features
* Super tiny (`glibc`-based is `~13.2MB` and `musl`-based is `~12.5MB`) * Super tiny (`glibc`-based is `~13.2MB` and `musl`-based is `~12.5MB`)
* Built from source, including libraries * Compiled from source during build time
* Built `FROM scratch`, see the [Filesystem](#filesystem) section below for an exhaustive list of the image's contents * Built `FROM scratch`, see [Filesystem](#filesystem) for an exhaustive list of the image's contents
* Reduced attack surface (no `bash`, no UNIX tools, no package manager...) * Reduced attack surface (no shell, no UNIX tools, no package manager...)
* Built with exploit mitigations enabled (see [Security](#security)) * Built with binary exploit mitigations enabled
## Configuration ## Configuration
### Volumes ### Volumes
- Bind your **configuration file** at `/etc/nginx/nginx.conf`. - Bind your **configuration** at `/etc/nginx/nginx.conf`.
## Building ## Building
To build the `glibc`-based image: - To build the `glibc`-based image: `$ docker build -t nginx:glibc -f glibc/Dockerfile .`
- To build the `musl`-based image: `$ docker build -t nginx:musl -f musl/Dockerfile .`
```bash
docker build -t nginx:glibc -f glibc/Dockerfile .
```
To build the `musl`-based image:
```bash
docker build -t nginx:musl -f musl/Dockerfile .
```
## Security
This image attempts to build a secure NGINX container image.
It does so by the following ways:
- downloading and verifying the source code of NGINX and every library it is built with,
- packaging the image with only those files required during runtime (see [Filesystem](#filesystem)),
- by enforcing a series of exploit mitigations (PIE, full RELRO, full SSP, NX and Fortify)
### Verifying the presence of exploit mitigations
To check whether a binary in a container image has those mitigations enabled, use [tests/checksec.sh](https://github.com/ricardbejarano/nginx/blob/master/tests/checksec.sh).
#### Usage
```
usage: checksec.sh docker_image executable_path
Container-based wrapper for checksec.sh.
Requires a running Docker daemon.
Example:
$ checksec.sh ricardbejarano/nginx:glibc /nginx
Extracts the '/nginx' binary from the 'ricardbejarano/nginx:glibc' image,
downloads checksec (github.com/slimm609/checksec.sh) and runs it on the
binary.
Everything runs inside containers.
```
#### Example:
Testing the `/nginx` binary in `ricardbejarano/nginx:glibc`:
```
$ bash tests/checksec.sh ricardbejarano/nginx:glibc /nginx
Downloading ricardbejarano/nginx:glibc...Done!
Extracting ricardbejarano/nginx:glibc:/nginx...Done!
Downloading checksec.sh...Done!
Running checksec.sh:
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 11570 Symbols Yes 0 34 /tmp/.checksec-ui8eKi3Q
Cleaning up...Done!
```
This wrapper script works with any binary in a container image. Feel free to use it with any other image.
Other examples:
- `bash tests/checksec.sh debian /bin/bash`
- `bash tests/checksec.sh alpine /bin/sh`
- `bash tests/checksec.sh nginx /usr/sbin/nginx`
## Filesystem ## Filesystem

61
tests/checksec.sh
View file

@ -1,61 +0,0 @@
#!/bin/bash
usage() {
echo "usage: checksec.sh docker_image executable_path"
echo ""
echo "Container-based wrapper for checksec.sh."
echo "Requires a running Docker daemon."
echo ""
echo "Example:"
echo ""
echo " $ checksec.sh ricardbejarano/nginx:glibc /nginx"
echo ""
echo " Extracts the '/nginx' binary from the 'ricardbejarano/nginx:glibc' image,"
echo " downloads checksec (github.com/slimm609/checksec.sh) and runs it on the"
echo " binary."
echo " Everything runs inside containers."
exit 1
}
checksec() {
printf "Downloading %s..." "$1"
docker pull "$1" >/dev/null
echo "Done!"
printf "Extracting %s:%s..." "$1" "$2"
image_container="$(docker create "$1")"
executable_file="$(mktemp .checksec-XXXXXXXX)"
docker cp "$image_container":"$2" "$executable_file"
docker rm "$image_container" >/dev/null
echo "Done!"
printf "Downloading checksec.sh..."
docker run \
--interactive \
--tty \
--rm \
--volume "$PWD/$executable_file:/tmp/$executable_file" \
debian \
bash \
-c "\
apt update &>/dev/null && \
apt install -y curl file procps binutils openssl &>/dev/null && \
curl \
--silent \
--show-error \
--output /bin/checksec \
https://raw.githubusercontent.com/slimm609/checksec.sh/b8231ce02c0b20ace7ab6ea0bc1a5e4a1b497212/checksec && \
chmod +x /bin/checksec && \
echo 'Done!' && \
echo 'Running checksec.sh:' && \
checksec -f /tmp/$executable_file"
printf "Cleaning up..."
rm -f "$executable_file"
echo "Done!"
exit 0
}
if [ -z "$2" ]; then usage; fi
checksec "$1" "$2"