tweaking, hardening

docker/glastopf/Dockerfile

@@ -12,7 +12,6 @@ RUN apk -U --no-cache add autoconf \
                git \
                libffi \
                libffi-dev \
-               libcap \
                make \
                py-asn1 \
                py-cffi \
@@ -67,7 +66,6 @@ RUN apk -U --no-cache add autoconf \
     python setup.py install && \
     cd / && \
     rm -rf /opt/glastopf /tmp/* /var/tmp/* && \
-    setcap cap_net_bind_service=+ep /usr/bin/glastopf-runner && \
 
 # Setup user, groups and configs
     addgroup -g 2000 glastopf && \
@@ -86,5 +84,5 @@ RUN apk -U --no-cache add autoconf \
     rm -rf /var/cache/apk/*
 
 # Set workdir and start glastopf
-WORKDIR /opt/glastopf/
+WORKDIR /tmp/glastopf/
-CMD ["glastopf-runner"]
+CMD cp /opt/glastopf/glastopf.cfg /tmp/glastopf && glastopf-runner

docker/glastopf/docker-compose.yml

@@ -9,12 +9,17 @@ services:
   glastopf:
     build: .
     container_name: glastopf
+    environment:
+      - PYTHON_EGG_CACHE=/tmp/glastopf
+    tmpfs:
+      - /tmp/glastopf:exec
     restart: always
     networks:
      - glastopf_local
     ports:
      - "80:80"
     image: "dtagdevsec/glastopf:1804"
+    read_only: true
     volumes:
      - /data/glastopf/db:/opt/glastopf/db
      - /data/glastopf/log:/opt/glastopf/log

docker/heralding/Dockerfile

@@ -22,14 +22,14 @@ RUN apk -U upgrade && \
     cd /opt/ && \
     git clone https://github.com/johnnykv/heralding && \
     cd heralding && \
-    mv /root/dist/heralding.yml /opt/heralding/ && \
     pip3 install -r requirements.txt && \
     pip3 install heralding && \
 
 # Setup user, groups and configs
     addgroup -g 2000 heralding && \
     adduser -S -H -s /bin/bash -u 2000 -D -g 2000 heralding && \
-    mkdir -p /var/log/heralding/ && \
+    mkdir -p /var/log/heralding/ /etc/heralding && \
+    mv /root/dist/heralding.yml /etc/heralding/ && \
 
 # Clean up
     apk del --purge \
@@ -45,5 +45,5 @@ RUN apk -U upgrade && \
     rm -rf /var/cache/apk/*
 
 # Start elasticpot
-WORKDIR /opt/heralding/
+WORKDIR /tmp/heralding/
-CMD ["heralding","-l","/var/log/heralding/heralding.log"]
+CMD ["heralding","-c","/etc/heralding/heralding.yml","-l","/var/log/heralding/heralding.log"]

docker/heralding/docker-compose.yml

@@ -10,6 +10,10 @@ services:
     build: .
     container_name: heralding
     restart: always
+    environment:
+      - PYTHON_EGG_CACHE=/tmp/heralding
+    tmpfs:
+      - /tmp/heralding:exec
     networks:
      - heralding_local
     ports:
@@ -26,5 +30,6 @@ services:
      - "5432:5432"
      - "5900:5900"
     image: "dtagdevsec/heralding:1804"
+    read_only: true
     volumes:
      - /data/heralding/log:/var/log/heralding

docker/mailoney/Dockerfile

@@ -43,6 +43,6 @@ RUN apk -U upgrade && \
     rm -rf /var/cache/apk/*
 
 # Set workdir and start glastopf
-USER mailoney
+USER mailoney:mailoney
 WORKDIR /opt/mailoney/
 CMD ["/usr/bin/python","mailoney.py","-i","0.0.0.0","-p","2525","-s","mailserver","-t","schizo_open_relay"]

docker/mailoney/docker-compose.yml

@@ -15,5 +15,6 @@ services:
     ports:
      - "25:2525"
     image: "dtagdevsec/mailoney:1804"
+    read_only: true
     volumes:
      - /data/mailoney/log:/opt/mailoney/logs

docker/netdata/Dockerfile

@@ -59,4 +59,5 @@ HEALTHCHECK --retries=10 CMD curl -s -XGET 'http://127.0.0.1:64301'
 
 # Start netdata 
 WORKDIR /
+USER netdata:netdata
 CMD ["/usr/sbin/netdata","-D","-s","/host","-i","127.0.0.1","-p","64301"]

docker/nginx/docker-compose.yml

@@ -22,6 +22,6 @@ services:
     image: "dtagdevsec/nginx:1804"
     read_only: true
     volumes:
-     - /data/nginx/cert/:/etc/nginx/cert/
+     - /data/nginx/cert/:/etc/nginx/cert/:ro
-     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd
+     - /data/nginx/conf/nginxpasswd:/etc/nginx/nginxpasswd:ro
      - /data/nginx/log/:/var/log/nginx/