Container images

BSI IT-Grundschutz 2023 sections covered by this page

CON.8
SYS.1.1
SYS.1.3
APP.3.1
APP.6
OPS.1.1.2
OPS.1.1.4

OX App Suite 8 is exclusively provided as OCI compliant container images. This page provides insight to security considerations regarding this delivery method.

Base images

OX App Suite container images are built on top of base images, that are provided from known-good sources like legitimate open-source projects. While the goal is to have uniform base images, the selection criteria are based on product requirements and can result in using different base-image for different software components.

Images are selected based on vendor or project review, taking relevant security considerations into account. This includes vendor independence, access to source-code, recency, update speed, licensing model and validation of security processes and security track record. Official upstream sources are used to fetch base images

Minimal base images are preferred whenever possible, which includes so-called "distroless" base images. The integrity of base images is validated by using checksums, and we review image contents to make sure no unnecessary or malicious code is present. This involves automated software composition analysis.

Base images are mirrored internally to avoid unexpected modification or unavailability of external sources. OX App Suite container images contain references to the base-image that was used during the build process.

Image sources

OX App Suite container images are provided through a container registry operated by Open-Xchange. It allows authenticated and encrypted access, using TLS to provide integrity and confidentiality guarantees. Container images are immutable at the registry, and new versions are provided as a new tag.

Container images at this registry are cryptographically signed, and the signatures can be validated by consumers of the registry. Information about the content of OX App Suite container images is provided using SBOM.

It is strongly suggested to mirror container images to a local registry to avoid operational impact of unavailability of the registry.

Image build process

OX App Suite container images are created during the build process, and no code or binaries are put into the image during runtime. There is no installation process taking place and there are no external dependencies during runtime. Standard libraries present at the base-image are not modified or replaced with non-upstream sources.

During image build, the amount of external dependencies is controlled and limited to what is required to run the workload within the container image. The provided container images do not automatically spawn new instances or additional services.

We transparently provide the source-code of the application together with instructions to create our container images. This allows to reproduce builds and validate their legitimacy.

Runtime permissions

OX App Suite container images are designed to utilize unprivileged user accounts and groups, which allows reducing container runtime permissions to a minimum. Only user-accounts required to run the workload are created during the container build process. Those accounts do not allow interactive external access or change during runtime.

The container image definition makes sure that processes are spawned as a specific user account or user identifier. OX App Suite Containers do not require any privileged host functionality. Storage volumes can be mapped to arbitrary subsystems.

Mandatory access control

At this point, OX App Suite container images are not tested with mandatory access control systems like SELinux or AppArmor. Operators who wish to use this technology might do so at their own responsibility. We currently do not deliver documentation or support for those use-cases. Implementation of hardened access control is possible on a Java runtime level, using Java Security Manager.

Interactive access

Interactive access to OX App Suite container images is not considered in production. Workload configuration is expected to happen through container orchestration systems and/or configuration management systems. Containers do not include remote management software other than OX App Suite specific provisioning and management endpoints.

Logging, metrics and health-checks

Log information is exclusively provided through stdout and stderr streams and is expected to be processed by container orchestration system. Metrics can be gathered by using application-level endpoints.

Health-checks and readiness-checks are exposed by each container image to allow service monitoring via the container orchestration system.

Process parameters

Processes started within OX App Suite container images do not use sensitive data as parameters. They either consume them from environment variables or configuration files.

Updates

Container images are immutable and use unique versions. Updates are performed by replacing container images with a newer version.

Intrusion detection and prevention

The provided container images do not contain IDP/IPS capabilities like packet filters or application-level firewalls. It is expected that this functionality is provided by the orchestration solution or auxiliary infrastructure.

Credentials

Container images for OX App Suite 8 do not contain default credentials, key material or any hard-coded security tokens.

# Container images

# Base images

# Image sources

# Image build process

# Runtime permissions

# Mandatory access control

# Interactive access

# Logging, metrics and health-checks

# Process parameters

# Updates

# Intrusion detection and prevention

# Credentials