Hardening Image for Gluu Janssen

Hardening Image for Gluu/Janssen

Ideas

1 - Prevent reverse shell by removing access to `sh`

As we are using alpine-based image which uses busybox applets (for example sh is a shortcut to busybox sh command, there are several ways to remove shell

1.1 - Use custom busybox

Pros

Only include required busybox applets or simply remove unwanted applet, i.e. sh

Cons

Need to compile a customized busybox within custom alpine image

1.2 - Uninstall `busybox` before `ENTRYPOINT`/`CMD` directive

Pros

No need to build/use custom alpine image

Cons

Since busybox is uninstalled, all applets will not be available, this includes tools for troubleshoot (i.e. cat, ls, netstat, etc.)

Things to consider:

Some image entrypoints are shell script that sometime spawn multiple Python / Java / shell commands; this requires refactoring for example using supervisor (Python-based tool) to manage processes
...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hardening Image for Gluu Janssen

Hardening Image for Gluu/Janssen

Ideas

1 - Prevent reverse shell by removing access to `sh`

1.1 - Use custom busybox

1.2 - Uninstall `busybox` before `ENTRYPOINT`/`CMD` directive

Clone this wiki locally

Hardening Image for Gluu Janssen

Hardening Image for Gluu/Janssen

Ideas

1 - Prevent reverse shell by removing access to sh

1.1 - Use custom busybox

1.2 - Uninstall busybox before ENTRYPOINT/CMD directive

Clone this wiki locally

1 - Prevent reverse shell by removing access to `sh`

1.2 - Uninstall `busybox` before `ENTRYPOINT`/`CMD` directive