Container images
BSI IT-Grundschutz 2023 sections covered by this page
- CON.8
- SYS.1.1
- SYS.1.3
- APP.3.1
- APP.6
- OPS.1.1.2
- OPS.1.1.4
OX App Suite 8 is exclusively provided as OCI compliant container images. This page provides insight to security considerations regarding this delivery method.
Base images
OX App Suite container images are built on top of base images, that are provided from known-good sources like legitimate open-source projects. While the goal is to have uniform base images, the selection criteria are based on product requirements and can result in using different base-image for different software components.
Images are selected based on vendor or project review, taking relevant security considerations into account. This includes vendor independence, access to source-code, recency, update speed, licensing model and validation of security processes and security track record. Official upstream sources are used to fetch base images
Minimal base images are preferred whenever possible, which includes so-called "distroless" base images. The integrity of base images is validated by using checksums, and we review image contents to make sure no unnecessary or malicious code is present. This involves automated software composition analysis.
Base images are mirrored internally to avoid unexpected modification or unavailability of external sources. OX App Suite container images contain references to the base-image that was used during the build process.
Image sources
OX App Suite container images are provided through a container registry operated by Open-Xchange. It allows authenticated and encrypted access, using TLS to provide integrity and confidentiality guarantees. Container images are immutable at the registry, and new versions are provided as a new tag.
Container images at this registry are cryptographically signed, and the signatures can be validated by consumers of the registry. Information about the content of OX App Suite container images is provided using SBOM.
It is strongly suggested to mirror container images to a local registry to avoid operational impact of unavailability of the registry.
Image build process
OX App Suite container images are created during the build process, and no code or binaries are put into the image during runtime. There is no installation process taking place and there are no external dependencies during runtime. Standard libraries present at the base-image are not modified or replaced with non-upstream sources.
During image build, the amount of external dependencies is controlled and limited to what is required to run the workload within the container image. The provided container images do not automatically spawn new instances or additional services.
We transparently provide the source-code of the application together with instructions to create our container images. This allows to reproduce builds and validate their legitimacy.
Runtime permissions
OX App Suite container images are designed to utilize unprivileged user accounts and groups, which allows reducing container runtime permissions to a minimum. Only user-accounts required to run the workload are created during the container build process. Those accounts do not allow interactive external access or change during runtime.
The container image definition makes sure that processes are spawned as a specific user account or user identifier. OX App Suite Containers do not require any privileged host functionality. Storage volumes can be mapped to arbitrary subsystems.
Mandatory access control
At this point, OX App Suite container images are not tested with mandatory access control systems like SELinux or AppArmor. Operators who wish to use this technology might do so at their own responsibility. We currently do not deliver documentation or support for those use-cases. Implementation of hardened access control is possible on a Java runtime level, using Java Security Manager.
Interactive access
Interactive access to OX App Suite container images is not considered in production. Workload configuration is expected to happen through container orchestration systems and/or configuration management systems. Containers do not include remote management software other than OX App Suite specific provisioning and management endpoints.
Logging, metrics and health-checks
Log information is exclusively provided through stdout
and stderr
streams and is expected to be processed by container orchestration system. Metrics can be gathered by using application-level endpoints.
Health-checks and readiness-checks are exposed by each container image to allow service monitoring via the container orchestration system.
Process parameters
Processes started within OX App Suite container images do not use sensitive data as parameters. They either consume them from environment variables or configuration files.
Updates
Container images are immutable and use unique versions. Updates are performed by replacing container images with a newer version.
Intrusion detection and prevention
The provided container images do not contain IDP/IPS capabilities like packet filters or application-level firewalls. It is expected that this functionality is provided by the orchestration solution or auxiliary infrastructure.
Credentials
Container images for OX App Suite 8 do not contain default credentials, key material or any hard-coded security tokens.