# Warning - use of this unhardened image is not recommended for production use. # This image is provided for backward compatibility, development and testing purposes only. # For production use, please use the hardened image built with Alpine. This image attempts to # treat a container as an operating system, which is an anti-pattern and a common source of # security issues. # # The default Dockerfile/docker-compose image contains the following security improvements # over the Debian image: # - read-only filesystem # - no sudo access # - least possible permissions on all files and folders # - Root user has all permissions revoked and is unused # - Secure umask applied so files are owner-only by default # - non-privileged user runs the application # - no shell access for non-privileged users # - no unnecessary packages or services # - reduced capabilities # - tmpfs for writable folders # - healthcheck # - no package managers # - no compilers or build tools # - no systemd, uses lightweight init system # - no persistent storage except for config and db volumes # - minimal image size due to segmented build stages # - minimal base image (Alpine Linux) # - minimal python environment (venv, no pip) # - minimal stripped web server # - minimal stripped php environment # - minimal services (nginx, php-fpm, crond, no unnecessary services or service managers) # - minimal users and groups (netalertx and readonly only, no others) # - minimal permissions (read-only for most files and folders, write-only for necessary folders) # - minimal capabilities (NET_ADMIN and NET_RAW only, no others) # - minimal environment variables (only necessary ones, no others) # - minimal entrypoint (only necessary commands, no others) # - Uses the same base image as the development environmnment (Alpine Linux) # - Uses the same services as the development environment (nginx, php-fpm, crond) # - Uses the same environment variables as the development environment (only necessary ones, no others) # - Uses the same file and folder structure as the development environment (only necessary ones, no others) # NetAlertX is designed to be run as an unattended network security monitoring appliance, which means it # should be able to operate without human intervention. Overall, the hardened image is designed to be as # secure as possible while still being functional and is recommended because you cannot attack a surface # that isn't there. FROM debian:bookworm-slim #TZ=Europe/London # NetAlertX app directories ENV INSTALL_DIR=/app ENV NETALERTX_APP=${INSTALL_DIR} ENV NETALERTX_CONFIG=${NETALERTX_APP}/config ENV NETALERTX_FRONT=${NETALERTX_APP}/front ENV NETALERTX_SERVER=${NETALERTX_APP}/server ENV NETALERTX_API=${NETALERTX_APP}/api ENV NETALERTX_DB=${NETALERTX_APP}/db ENV NETALERTX_DB_FILE=${NETALERTX_DB}/app.db ENV NETALERTX_BACK=${NETALERTX_APP}/back ENV NETALERTX_LOG=${NETALERTX_APP}/log ENV NETALERTX_PLUGINS_LOG=${NETALERTX_LOG}/plugins # NetAlertX log files ENV LOG_IP_CHANGES=${NETALERTX_LOG}/IP_changes.log ENV LOG_APP=${NETALERTX_LOG}/app.log ENV LOG_APP_FRONT=${NETALERTX_LOG}/app_front.log ENV LOG_REPORT_OUTPUT_TXT=${NETALERTX_LOG}/report_output.txt ENV LOG_DB_IS_LOCKED=${NETALERTX_LOG}/db_is_locked.log ENV LOG_REPORT_OUTPUT_HTML=${NETALERTX_LOG}/report_output.html ENV LOG_STDERR=${NETALERTX_LOG}/stderr.log ENV LOG_APP_PHP_ERRORS=${NETALERTX_LOG}/app.php_errors.log ENV LOG_EXECUTION_QUEUE=${NETALERTX_LOG}/execution_queue.log ENV LOG_REPORT_OUTPUT_JSON=${NETALERTX_LOG}/report_output.json ENV LOG_STDOUT=${NETALERTX_LOG}/stdout.log ENV LOG_CROND=${NETALERTX_LOG}/crond.log # System Services configuration files ENV SYSTEM_SERVICES=/services ENV SYSTEM_SERVICES_CONFIG=${SYSTEM_SERVICES}/config ENV SYSTEM_NGINIX_CONFIG=${SYSTEM_SERVICES_CONFIG}/nginx ENV SYSTEM_NGINX_CONFIG_FILE=${SYSTEM_NGINIX_CONFIG}/nginx.conf ENV NETALERTX_CONFIG_FILE=${NETALERTX_CONFIG}/app.conf ENV SYSTEM_SERVICES_PHP_FOLDER=${SYSTEM_SERVICES_CONFIG}/php ENV SYSTEM_SERVICES_PHP_FPM_D=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.d ENV SYSTEM_SERVICES_CROND=${SYSTEM_SERVICES_CONFIG}/crond ENV SYSTEM_SERVICES_RUN=${SYSTEM_SERVICES}/run ENV SYSTEM_SERVICES_RUN_TMP=${SYSTEM_SERVICES_RUN}/tmp ENV SYSTEM_SERVICES_RUN_LOG=${SYSTEM_SERVICES_RUN}/logs ENV PHP_FPM_CONFIG_FILE=${SYSTEM_SERVICES_PHP_FOLDER}/php-fpm.conf #Python environment ENV PYTHONPATH=${NETALERTX_SERVER} ENV PYTHONUNBUFFERED=1 ENV VIRTUAL_ENV=/opt/venv ENV VIRTUAL_ENV_BIN=/opt/venv/bin ENV PATH="${VIRTUAL_ENV}/bin:${PATH}:/services" ENV VENDORSPATH=/app/back/ieee-oui.txt ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt # App Environment ENV LISTEN_ADDR=0.0.0.0 ENV PORT=20211 ENV NETALERTX_DEBUG=0 #Container environment ENV ENVIRONMENT=debian ENV USER=netalertx ENV USER_ID=1000 ENV USER_GID=1000 # Todo, figure out why using a workdir instead of full paths don't work # Todo, do we still need all these packages? I can already see sudo which isn't needed # create pi user and group # add root and www-data to pi group so they can r/w files and db RUN groupadd --gid "${USER_GID}" "${USER}" && \ useradd \ --uid ${USER_ID} \ --gid ${USER_GID} \ --create-home \ --shell /bin/bash \ ${USER} && \ usermod -a -G ${USER_GID} root && \ usermod -a -G ${USER_GID} www-data COPY --chmod=775 --chown=${USER_ID}:${USER_GID} install/production-filesystem/ / COPY --chmod=775 --chown=${USER_ID}:${USER_GID} . ${INSTALL_DIR}/ # ❗ IMPORTANT - if you modify this file modify the /install/install_dependecies.debian.sh file as well ❗ RUN apt update && apt-get install -y \ tini snmp ca-certificates curl libwww-perl arp-scan sudo gettext-base \ nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools \ python3 python3-dev iproute2 nmap python3-pip zip git systemctl usbutils traceroute nbtscan openrc \ busybox nginx nginx-core mtr python3-venv # While php8.3 is in debian bookworm repos, php-fpm is not included so we need to add sury.org repo # (Ondřej Surý maintains php packages for debian. This is temp until debian includes php-fpm in their # repos. Likely it will be in Debian Trixie.). This keeps the image up-to-date with the alpine version. RUN apt-get install -y --no-install-recommends \ apt-transport-https \ ca-certificates \ lsb-release \ wget && \ wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \ echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list && \ apt-get update && \ apt-get install -y php8.3-fpm php8.3-cli php8.3-sqlite3 php8.3-common php8.3-curl php8.3-cgi && \ ln -s /usr/sbin/php-fpm8.3 /usr/sbin/php-fpm83 # make it compatible with alpine version # Setup virtual python environment and use pip3 to install packages RUN python3 -m venv ${VIRTUAL_ENV} && \ /bin/bash -c "source ${VIRTUAL_ENV_BIN}/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install -r ${INSTALL_DIR}/requirements.txt" # Configure php-fpm RUN chmod -R 755 /services && \ chown -R ${USER}:${USER_GID} /services && \ sed -i 's/^;listen.mode = .*/listen.mode = 0666/' ${SYSTEM_SERVICES_PHP_FPM_D}/www.conf && \ printf "user = %s\ngroup = %s\n" "${USER}" "${USER_GID}" >> /services/config/php/php-fpm.d/www.conf # Create a buildtimestamp.txt to later check if a new version was released RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt USER netalertx:netalertx ENTRYPOINT ["/bin/bash","/entrypoint.sh"]