2023-05-25 14:18:12 +02:00
|
|
|
Installing recommended packages automatically can lead to vulnerabilities in the
|
|
|
|
|
Docker image.
|
2023-02-07 11:30:23 +01:00
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
Potentially unnecessary packages are installed via a known Debian package
|
|
|
|
|
manager. These packages will increase the attack surface of the created
|
|
|
|
|
container as they might contain unidentified vulnerabilities or malicious code.
|
|
|
|
|
Those packages could be used as part of a broader supply chain attack.
|
|
|
|
|
In general, the more packages are installed in a container, the weaker its
|
|
|
|
|
security posture is. +
|
|
|
|
|
Depending on the introduced vulnerabilities, a malicious actor accessing such a
|
|
|
|
|
container could use these for privilege escalation. +
|
|
|
|
|
Removing unused packages can also significantly reduce your Docker image size.
|
|
|
|
|
|
|
|
|
|
To be secure, remove unused packages where possible and ensure images are
|
|
|
|
|
subject to routine vulnerability scans.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Ask Yourself Whether
|
|
|
|
|
|
|
|
|
|
* Container vulnerability scans are not performed.
|
|
|
|
|
|
|
|
|
|
There is a risk if you answered yes to the question.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
|
|
|
|
|
|
* Avoid installing package dependencies that are not strictly required.
|
2023-02-07 11:30:23 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
[source,docker]
|
|
|
|
|
----
|
2023-07-20 16:08:52 +02:00
|
|
|
FROM debian:latest
|
|
|
|
|
|
2023-02-07 11:30:23 +01:00
|
|
|
# Sensitive
|
|
|
|
|
RUN apt install -y build-essential
|
|
|
|
|
|
|
|
|
|
# Sensitive
|
|
|
|
|
RUN apt-get install -y build-essential
|
|
|
|
|
|
|
|
|
|
# Sensitive
|
|
|
|
|
RUN aptitude install -y build-essential
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
[source,docker]
|
|
|
|
|
----
|
2023-07-20 16:08:52 +02:00
|
|
|
FROM debian:latest
|
|
|
|
|
|
2023-02-07 11:30:23 +01:00
|
|
|
RUN apt install -y --no-install-recommends build-essential
|
|
|
|
|
|
|
|
|
|
RUN apt-get install -y --no-install-recommends build-essential
|
|
|
|
|
|
|
|
|
|
RUN aptitude install -y --without-recommends build-essential
|
|
|
|
|
----
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
== See
|
|
|
|
|
|
|
|
|
|
* https://www.debian.org/doc/debian-policy/ch-relationships.html[Debian Documentation] - Binary Dependencies
|
|
|
|
|
* https://ubuntu.com/blog/we-reduced-our-docker-images-by-60-with-no-install-recommends[Ubuntu Blog] - Container size reduction
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
== Message
|
|
|
|
|
|
|
|
|
|
* Make sure automatically installing recommended packages is safe here.
|
|
|
|
|
|
|
|
|
|
== Highlighting
|
|
|
|
|
|
|
|
|
|
Highlight the entire package manager statement.
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
2023-02-07 11:30:23 +01:00
|
|
|
|
