From cbb7d430063f3ad6e2a43527a7919a68b60374ef Mon Sep 17 00:00:00 2001 From: Joe Testa Date: Thu, 23 Mar 2023 23:43:52 -0400 Subject: [PATCH] Updated base image. Removed all suid & sgid bits from image. Drop root privileges by default. --- Dockerfile | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 357f63b..c358daa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,18 @@ -FROM python:3.9-slim +FROM python:3-slim WORKDIR / +# Remove suid & sgid bits from all files. +RUN find / -xdev -perm /6000 -exec chmod ug-s {} \; 2> /dev/null || true + +# Copy the ssh-audit code. COPY ssh-audit.py . COPY src/ . -ENTRYPOINT ["python3", "/ssh-audit.py"] - +# Allow listening on 2222/tcp for client auditing. EXPOSE 2222 + +# Drop root privileges. +USER nobody:nogroup + +ENTRYPOINT ["python3", "/ssh-audit.py"]