Find a lightweight and official image to import

[xr09]

Description

In order to comply with #252 we need to find an alternative image to use as a base.

The right image is lightweight, functional and most importantly, secure.

Tasks

• Setup a testing environment with Docker and Snyk
• Test official CentOS image
• Test official Debian image
• Test official Ubuntu image

[xr09]

Hey team,

I'm currently doing some security testing with Snyk (same tool used to report #221 ).

This is the output from our current image wazuh/wazuh:latest:

This is one of the high severity vulnerabilities on the image.

Visiting that link we get this:

 Improper Data Handling

Affecting glibc package, versions debian:10: <2.28-1 || debian:8: * || debian:9: * 
|| debian:unstable: <2.28-1 || ubuntu:16.04: * || ubuntu:18.04: *

So according to Snyk only Debian and Ubuntu are affected.

But RedHat says otherwise.

https://access.redhat.com/security/cve/cve-2009-5155

Red Hat Enterprise Linux 7 | glibc | Affected

Let's check another one.

This report again says Debian and Ubuntu are the only vulnerable.

On the RedHat CVE Database says Under Investigation but let's test the exploit on a CentOS 7:

[root@e1cad4fb067f /]# echo D | grep -E "$(printf '(\0|)(\\1\\1)*')"
Segmentation fault (core dumped)

Again, vulnerable.

After this research I'm not sure about trusting Snyk as the only source of truth, we might spend a lot of man/hours moving away from the current image (or from Ubuntu) and end up in the blind, since Snyk is not reporting correctly. So this is one point to keep in mind.

I'm tempted to say currently their CVE database is much more accurate for Debian/Ubuntu than for CentOS/RedHat.

Regards.

[xr09]

Another example:

https://snyk.io/vuln/SNYK-LINUX-TAR-441202

NULL Pointer Dereference

Affecting tar package, versions debian:10: * || debian:8: * || debian:9: * || debian:unstable: *

https://access.redhat.com/security/cve/cve-2019-9923

[xr09]

Base images size comparison

Currently testing 3 of the officially supported images on Docker Hub, adding our current base image for comparison.

This is a report from MicroBadger, a site which periodically inspects images from Docker Hub and reports its size (gzipped) and number of layers.

Base Image	MicroBadger Report
CentOS 7
Debian 10
Ubuntu 18.04
phusion/baseimage
Wazuh

Mind these official images would require some modifications to allow a multi-process container.

[xr09]

Testing a few modifications on our current Dockerfile and changing the base images to Debian Buster, CentOS 7 and Ubuntu Bionic we're getting these final sizes.

Wazuh Image	Size
Debian 10	228MB
CentOS 7	195MB
Ubuntu 18.04	191MB

[xr09]

After a few debates we're proposing CentOS 7 as our new base image due to its solid stability and long term support. Any comments would be appreciated.

[thiscantbeserious]

Any reason you didn't even gave Alpine a run? Unlike all of the above is by far more lightweight and faster to customize and also built with Docker in mind.

[xr09]

Hi @thiscantbeserious, actually we thought about Alpine but this distro doesn't use the standard glibc like the rest (Alpine uses musl libc). This makes it unexplored territory for our core team (and packaging team as well) so we picked a distro with first class support instead.