Why does 2F ask for Dockerfiles when containers are pushed?¶
We ask for Dockerfiles to aid in our container hardening process. We use a set of scripts that will strip out most commands, users, and files that are not needed from the base image. Providing us the Dockerfiles gives us some insight into what users, files, and commands are needed by your container in order to run properly once hardened. This will allow us to go through the process of getting your containers to a secure yet still functional state much quicker.
Does an image go through the entire pipeline each time?¶
Each run through the pipeline after the first should be much easier. It will go from providing justifications for each vulnerability to verifying that the vulnerabilities match what has already been approved and only providing justifications for anything new.
What does the Game Warden custom hardening process entail/include?¶
Custom hardening will vary depending on what each container contains (databases, for example). In general, we use hardening scripts to remove all unnecessary files, users, and commands to reduce the attack area on your application and ensure it successfully passes our pipeline checks (Anchore Enterprise, Prisma Cloud, security validations, linking, for example.)
The hardening scripts are typically built using image hardening best practices. If you do not have a specific user with root privileges other than root, we make a user and modify the permissions to be able to run specific scripts or commands within the container. We then remove unnecessary user accounts. We also remove interactive login shells for everybody except that specific user, remove files generated by sed commands, ensure system directories are owned by root and not writeable by other users, remove existing crontabs, remove kernel tunables, remove fstab since we do not need them, remove all but a handful of administrative commands, remove most but only include any executable commands (cat, bash, sh, ls, cd, etc. ), and then remove broken symlinks.
After hardening, we work with you to ensure this process did not break any app functionality, and everything still works as intended.