Docker Hub Ubuntu Official Container Image (Ubuntu:20.04) Having CIS Compliance Issues (Criticality:-Serious)

Docker Hub
1

Docker Hub Ubuntu Official Container Image (Ubuntu:20.04) Having CIS Compliance Issues (Criticality:-Serious). Two issues, as below, and we’d like to know when these issues will be fixed in the official image ? OR, are there any workarounds available today to avoid these CIS compliance issues ?

|CRITICALITY| STATEMENT |Rationale |

|SERIOUS | Status of the ADD instructions in Dockerfile |The ADD instruction could potentially retrieve files from remote URLs and perform operations such as unpacking them. The ADD instruction, therefore, introduces security risks. For example, malicious files may be directly accessed from URLs without scanning, or there may be vulnerabilities associated with decompressing them. The COPY instruction can be used instead of ADD instruction since it simply copies files from the local host machine to the container file system.|

|MEDIUM |Status of the HEALTHCHECK setting for the Docker Images | Adding HEALTHCHECK instruction to container image ensures that the docker engine periodically checks the running container instances against that instruction to ensure that the instances are still working. Based on the reported health status, the docker engine could then exit non-working containers and instantiate new ones. |

2

You could build your own images based on the daily release of the ubuntu base tar.gz.

Dockerfile:

FROM scratch
ADD focal-base-amd64.tar /
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
CMD ["/bin/sh"]

Note: as the ADD instruction does not extract tar.gz archives, it is necessary to download the tar.gz and gunzip the tar.gz to get a tar file that can be extracted from ADD instruction

build.sh:

#!/bin/sh
wget https://cdimage.ubuntu.com/ubuntu-base/focal/daily/current/SHA256SUMS
wget https://cdimage.ubuntu.com/ubuntu-base/focal/daily/current/focal-base-amd64.tar.gz
grep focal-base-amd64.tar.gz SHA256SUMS | sha256sum -c -
if [ $? -eq 0 ];then
  gunzip focal-base-amd64.tar.gz
  docker build -t custom/ubuntu:20.04 .
  rm focal-base-amd64.tar
else
  rm focal-base-amd64.tar.gz
fi
rm SHA256SUMS

I am not sure if I ever saw a base image that wouldn’t use ADD to add the base to the image. The approach above uses it as well. Would you rather prefer to extract it on the host? Afaik, ADD/COPY do not retain the file owner, so extracting it on the host doesn’t seem like an option. Furthermore, using COPY with FROM scratch is not going to work, so it would require a multistage image build, and you would end with the problem of the file ownership.

Though, I assume we both can agree that it makes no sense to implement a healthcheck just for the sake of having a healthcheck implemented on a minimal base image that runs no proceses, right? If you don’t agree, please let me know how a useful healthcheck would look like for an os base image.

Update: Oh, I see. Those are the output of the CIS benchmark, and not your personal opinions. Of course the findings will be the same for the custom created base image. It starts to differ, if the current image on Docker Hub has high or critical findings, which might not be present on the custom build image, as it will include the most recent packages.

1 Like
3

The Docker Hub Ubuntu official container image (Ubuntu:20.04) is facing serious CIS compliance issues.