Update apline harden image (#5)

* update readme * update version and harden image
cloudina · Aug 9, 2022 · aadd616 · aadd616
1 parent d249024
commit aadd616
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 16 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,8 @@
-FROM golang:1.16.7-alpine AS builder
+FROM golang:1.19-alpine3.16 AS builder
 
 RUN apk update upgrade;
 
-ENV YARA 4.1.1
+ENV YARA 4.2.3
 
 # Install Yara
 RUN apk --update add --no-cache openssl file bison jansson ca-certificates
@@ -45,27 +45,29 @@ RUN go build -o /go/bin/hawk
 
 RUN git clone https://github.com/Yara-Rules/rules.git /rules
 
-FROM alpine:latest
+FROM alpine:3.16
 
 # Update
-RUN apk update upgrade;
+RUN apk update upgrade
 
 # Install git
-RUN apk add git
-
-RUN apk add --no-cache libc6-compat
+RUN apk --update add --no-cache  \
+    git \
+    libc6-compat \
+    tzdata
 
 # Set timezone to Europe/Zurich
-RUN apk add tzdata
 RUN ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
 
 # Install ClamAV
-RUN apk --no-cache add clamav clamav-libunrar \
+RUN apk --update add --no-cache clamav clamav-libunrar \
     && mkdir /run/clamav \
     && chown clamav:clamav /run/clamav \
     && chown -R clamav:clamav /var/lib/clamav/
 
-RUN apk add jansson libmagic
+RUN apk --update add --no-cache  \
+    jansson \
+    libmagic
 
 COPY config/clamd.conf /etc/clamav/clamd.conf
 COPY config/freshclam.conf /etc/clamav/freshclam.conf
@@ -87,7 +89,8 @@ ENV INDEXES -i /rules/malware_index.yar
 
 ENV NO_OF_CHECKS_FOR_DB_UPDATE=24
 
-RUN addgroup -S hawkgroup && adduser -S -H -G hawkgroup hawkuser 
+RUN addgroup --gid 10001 --system hawkgroup \
+ && adduser  --uid 10000 --system --ingroup hawkgroup --home /home/hawkuser hawkuser
 
 RUN chmod -R +r /rules
 RUN chown -R  hawkuser:hawkgroup /usr/bin/hawk
@@ -101,6 +104,10 @@ RUN chown -R  hawkuser:hawkgroup /var/log/clamav/
 RUN chown -R  hawkuser:hawkgroup /run/clamav/
 RUN chown -R  hawkuser:hawkgroup /var/lib/clamav/
 
-USER hawkuser
+RUN apk add --no-cache tini
+
+ENTRYPOINT ["/sbin/tini", "--", "entrypoint.sh"]
 
-ENTRYPOINT [ "entrypoint.sh" ]
+RUN apk add --no-cache bind-tools
+
+USER hawkuser
diff --git a/README.md b/README.md
@@ -57,15 +57,15 @@ Test that service detects common test virus signature:
 
 **HTTP**
 ```bash
-$  curl --data "@./test/s3filescan" http://0.0.0.0:9000/s3/scanfile -H 'Content-Type: application/json'
+$  curl --data "@./testsamples/scanfiles/s3filescan" http://0.0.0.0:9000/s3/scanfile -H 'Content-Type: application/json'
 
 {"filename":"stream","matches":[{"Rule":"Win.Test.EICAR_HDB-1","namespace":"","tags":null}],"status":"INFECTED"}%                                   
 
-$  curl --data "@./test/eicar" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'
+$  curl --data "@./testsamples/scanfiles/eicar" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'
 
 {"filename":"stream","matches":[{"Rule":"Win.Test.EICAR_HDB-1","namespace":"","tags":null}],"status":"INFECTED"}                           
 
-$ curl --data "@./test/hello.txt" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'
+$ curl --data "@./testsamples/scanfiles/hello.txt" http://0.0.0.0:9000/scanstream -H 'Content-Type: application/json'
 
 {"filename":"stream","matches":[],"status":"CLEAN"}