Introduction to Alpine Linux Security
Alpine Linux is a security-oriented, lightweight Linux distribution that uses musl libc and BusyBox. Its small footprint and security-focused design make it ideal for containerized applications, but it requires special considerations when running Java applications.
System Architecture Overview
Alpine Linux Security Stack ├── Minimal Base System │ ├ - musl libc (vs glibc) │ ├ - BusyBox │ └ - OpenRC (vs systemd) ├── Security Features │ ├ - PaX/Grsecurity │ ├ - Position Independent Executables (PIE) │ ├ - Stack Smashing Protection │ └ - Fortify Source ├── Container Security │ ├ - Distroless Base │ ├ - Multi-stage Builds │ └ - Minimal Dependencies └── Java-Specific Considerations ├ - musl vs glibc Compatibility ├ - Timezone Data ├ - SSL Certificates └ - Character Encoding
Core Implementation
1. Maven Dependencies for Alpine Compatibility
<properties>
<alpine.version>3.18</alpine.version>
<graalvm.version>22.3.2</graalvm.version>
<musl.version>1.2.4</musl.version>
</properties>
<dependencies>
<!-- Alpine-compatible libraries -->
<dependency>
<groupId>org.musl</groupId>
<artifactId>musl-compat</artifactId>
<version>${musl.version}</version>
</dependency>
<!-- Native image support for smaller footprint -->
<dependency>
<groupId>org.graalvm.sdk</groupId>
<artifactId>graal-sdk</artifactId>
<version>${graalvm.version}</version>
</dependency>
<!-- Security libraries -->
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.78</version>
</dependency>
<!-- Resource monitoring -->
<dependency>
<groupId>com.sun.management</groupId>
<artifactId>sun-management-api</artifactId>
<version>1.0</version>
</dependency>
<!-- System information -->
<dependency>
<groupId>com.github.oshi</groupId>
<artifactId>oshi-core</artifactId>
<version>6.4.6</version>
</dependency>
</dependencies>
<build>
<plugins>
<!-- Build native image with GraalVM -->
<plugin>
<groupId>org.graalvm.buildtools</groupId>
<artifactId>native-maven-plugin</artifactId>
<version>0.9.28</version>
<executions>
<execution>
<goals>
<goal>build</goal>
</goals>
</execution>
</executions>
<configuration>
<imageName>alpine-secure-app</imageName>
<mainClass>com.security.Application</mainClass>
<buildArgs>
<buildArg>--static</buildArg>
<buildArg>--libc=musl</buildArg>
<buildArg>-H:+UnlockExperimentalVMOptions</buildArg>
</buildArgs>
</configuration>
</plugin>
</plugins>
</build>
2. Alpine Security Configuration Service
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;
import java.io.*;
import java.nio.file.*;
import java.security.*;
import java.util.*;
@Service
public class AlpineSecurityService {
private static final Logger logger = LoggerFactory.getLogger(AlpineSecurityService.class);
// Alpine-specific paths
private static final String APK_CACHE = "/var/cache/apk";
private static final String APK_WORLD = "/etc/apk/world";
private static final String APK_REPOSITORIES = "/etc/apk/repositories";
private static final String SECCOMP_PROFILE = "/etc/docker/seccomp";
/**
* Check if running on Alpine Linux
*/
public boolean isAlpineLinux() {
try {
String osRelease = Files.readString(Path.of("/etc/os-release"));
return osRelease.contains("Alpine Linux");
} catch (IOException e) {
return false;
}
}
/**
* Get Alpine Linux version
*/
public String getAlpineVersion() {
try {
List<String> lines = Files.readAllLines(Path.of("/etc/alpine-release"));
return lines.isEmpty() ? "unknown" : lines.get(0).trim();
} catch (IOException e) {
return "unknown";
}
}
/**
* Verify musl libc is being used
*/
public boolean isUsingMusl() {
try {
ProcessBuilder pb = new ProcessBuilder("ldd", "--version");
Process process = pb.start();
String output = new String(process.getInputStream().readAllBytes());
return output.contains("musl");
} catch (IOException e) {
return false;
}
}
/**
* Scan for unnecessary packages that could be removed
*/
public List<String> findUnnecessaryPackages() throws IOException {
List<String> unnecessary = new ArrayList<>();
// Read installed packages
List<String> installed = getInstalledPackages();
// Define essential packages for Java apps
Set<String> essential = Set.of(
"openjdk17-jre", "ca-certificates", "tzdata",
"libc6-compat", "busybox", "ssl_client"
);
// Check each installed package
for (String pkg : installed) {
if (!isPackageEssential(pkg, essential)) {
unnecessary.add(pkg);
}
}
return unnecessary;
}
/**
* Secure APK repositories configuration
*/
public void secureAPKRepositories() throws IOException {
Path reposPath = Path.of(APK_REPOSITORIES);
List<String> secureRepos = Arrays.asList(
"https://dl-cdn.alpinelinux.org/alpine/v3.18/main",
"https://dl-cdn.alpinelinux.org/alpine/v3.18/community"
// Note: Disable testing/edge repos for production
// "# https://dl-cdn.alpinelinux.org/alpine/edge/testing"
);
Files.write(reposPath, secureRepos, StandardOpenOption.TRUNCATE_EXISTING);
logger.info("APK repositories secured");
}
/**
* Set up seccomp security profile
*/
public void configureSeccompProfile() throws IOException {
// Default deny, allow only necessary syscalls for Java
String seccompProfile = """
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"names": [
"accept",
"access",
"arch_prctl",
"bind",
"brk",
"clock_gettime",
"clone",
"close",
"connect",
"dup",
"epoll_ctl",
"epoll_wait",
"execve",
"exit",
"exit_group",
"futex",
"getdents64",
"getpid",
"getrandom",
"getsockname",
"getsockopt",
"ioctl",
"listen",
"lseek",
"mmap",
"mprotect",
"munmap",
"newfstatat",
"openat",
"pipe",
"poll",
"pread64",
"prlimit64",
"pwrite64",
"read",
"readlink",
"recvfrom",
"recvmsg",
"rt_sigaction",
"rt_sigprocmask",
"rt_sigreturn",
"sendmsg",
"sendto",
"setsockopt",
"socket",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
""";
Files.createDirectories(Path.of(SECCOMP_PROFILE).getParent());
Files.writeString(Path.of(SECCOMP_PROFILE + "/java-secure.json"), seccompProfile);
}
/**
* Configure Linux Security Modules (LSM)
*/
public void configureLinuxSecurityModules() {
try {
// AppArmor (if available)
configureAppArmor();
// SELinux (if available)
configureSELinux();
// PaX/grsecurity flags
configurePaXFlags();
} catch (Exception e) {
logger.warn("Failed to configure LSM: {}", e.getMessage());
}
}
/**
* Set PaX/grsecurity flags for Java process
*/
private void configurePaXFlags() throws IOException {
// Check if PaX is available
Path paxctl = Path.of("/usr/sbin/paxctl");
if (Files.exists(paxctl)) {
String javaHome = System.getProperty("java.home");
Path javaBinary = Path.of(javaHome, "bin", "java");
// Apply PaX flags to Java binary
ProcessBuilder pb = new ProcessBuilder(
"paxctl", "-c", javaBinary.toString()
);
Process process = pb.start();
// Disable mprotect restrictions for JIT compilation
pb = new ProcessBuilder(
"paxctl", "-m", javaBinary.toString()
);
process = pb.start();
logger.info("PaX flags configured for Java binary");
}
}
/**
* Hardened malloc configuration for musl
*/
public void configureHardenedMalloc() {
// musl's malloc is already relatively secure, but we can add extra hardening
System.setProperty("MALLOC_CHECK_", "3");
System.setProperty("MALLOC_PERTURB_", String.valueOf(new Random().nextInt(255)));
}
/**
* Configure ASLR (Address Space Layout Randomization)
*/
public void configureASLR() {
try {
// Check current ASLR settings
String randomizeVaSpace = Files.readString(Path.of("/proc/sys/kernel/randomize_va_space"));
// Ensure ASLR is enabled (2 = full ASLR)
if (!"2".equals(randomizeVaSpace.trim())) {
Files.writeString(Path.of("/proc/sys/kernel/randomize_va_space"), "2");
logger.info("ASLR enabled");
}
} catch (IOException e) {
logger.warn("Could not configure ASLR: {}", e.getMessage());
}
}
/**
* Set resource limits for container
*/
public void setResourceLimits() {
// Set Java heap limits based on container memory
String containerMemory = System.getenv("CONTAINER_MEMORY_LIMIT");
if (containerMemory != null) {
try {
long memoryBytes = parseMemoryString(containerMemory);
long heapSize = (long) (memoryBytes * 0.7); // Use 70% for heap
// Set JVM memory options
System.setProperty("XX:MaxRAMPercentage", "70.0");
System.setProperty("XX:InitialRAMPercentage", "25.0");
} catch (NumberFormatException e) {
logger.warn("Invalid memory limit format: {}", containerMemory);
}
}
// Set file descriptor limit
try {
ProcessBuilder pb = new ProcessBuilder("ulimit", "-n", "65536");
Process process = pb.start();
} catch (IOException e) {
logger.warn("Could not set file descriptor limit: {}", e.getMessage());
}
}
/**
* Verify file permissions and ownership
*/
public List<PermissionIssue> verifyFilePermissions() throws IOException {
List<PermissionIssue> issues = new ArrayList<>();
// Check critical directories
checkDirectoryPermissions(Path.of("/etc"), issues);
checkDirectoryPermissions(Path.of("/var"), issues);
checkDirectoryPermissions(Path.of("/tmp"), issues);
// Check Java application files
String userHome = System.getProperty("user.home");
checkDirectoryPermissions(Path.of(userHome), issues);
return issues;
}
private void checkDirectoryPermissions(Path path, List<PermissionIssue> issues) throws IOException {
if (Files.exists(path)) {
Set<PosixFilePermission> perms = Files.getPosixFilePermissions(path);
// Check for world-writable directories
if (perms.contains(PosixFilePermission.OTHERS_WRITE)) {
issues.add(new PermissionIssue(
path.toString(),
"Directory is world-writable",
"Remove world-write permission"
));
}
// Check for incorrect ownership
String currentUser = System.getProperty("user.name");
String owner = Files.getOwner(path).getName();
if (!"root".equals(owner) && path.toString().startsWith("/etc")) {
issues.add(new PermissionIssue(
path.toString(),
"System directory owned by non-root user",
"Change ownership to root"
));
}
}
}
/**
* Scan for SUID/SGID binaries
*/
public List<String> findSuidSgidBinaries() throws IOException {
List<String> suidBinaries = new ArrayList<>();
// Search for SUID binaries
ProcessBuilder pb = new ProcessBuilder("find", "/", "-type", "f",
"-perm", "/4000", "-o", "-perm", "/2000", "2>/dev/null");
Process process = pb.start();
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))) {
String line;
while ((line = reader.readLine()) != null) {
suidBinaries.add(line.trim());
}
}
return suidBinaries;
}
/**
* Configure timezone and locale for Alpine
*/
public void configureTimezoneAndLocale() {
try {
// Set timezone
String timezone = System.getenv("TZ");
if (timezone != null) {
Path zoneInfo = Path.of("/usr/share/zoneinfo", timezone);
if (Files.exists(zoneInfo)) {
Files.createSymbolicLink(Path.of("/etc/localtime"), zoneInfo);
}
}
// Set locale
String locale = System.getenv("LANG") != null ?
System.getenv("LANG") : "C.UTF-8";
System.setProperty("user.language", locale.split("\\.")[0]);
System.setProperty("user.country", locale.contains("_") ?
locale.split("_")[1].split("\\.")[0] : "");
} catch (IOException e) {
logger.warn("Failed to configure timezone/locale: {}", e.getMessage());
}
}
/**
* Configure SSL certificates for Alpine
*/
public void configureSSLCertificates() {
try {
// Update CA certificates
ProcessBuilder pb = new ProcessBuilder("update-ca-certificates");
Process process = pb.start();
int exitCode = process.waitFor();
if (exitCode == 0) {
logger.info("CA certificates updated");
// Set Java trust store
Path caBundle = Path.of("/etc/ssl/certs/ca-certificates.crt");
if (Files.exists(caBundle)) {
System.setProperty("javax.net.ssl.trustStore", caBundle.toString());
System.setProperty("javax.net.ssl.trustStoreType", "PEM");
}
}
} catch (IOException | InterruptedException e) {
logger.warn("Failed to configure SSL certificates: {}", e.getMessage());
}
}
/**
* Monitor security events
*/
public SecurityMetrics collectSecurityMetrics() {
SecurityMetrics metrics = new SecurityMetrics();
try {
// Check kernel security features
metrics.setKernelHardening(checkKernelHardening());
// Check container isolation
metrics.setContainerIsolation(checkContainerIsolation());
// Check running processes
metrics.setProcessCount(countRunningProcesses());
// Check open ports
metrics.setOpenPorts(getOpenPorts());
// Check memory usage
metrics.setMemoryUsage(getMemoryUsage());
} catch (Exception e) {
logger.warn("Failed to collect security metrics: {}", e.getMessage());
}
return metrics;
}
// Helper methods
private List<String> getInstalledPackages() throws IOException {
ProcessBuilder pb = new ProcessBuilder("apk", "list", "--installed");
Process process = pb.start();
List<String> packages = new ArrayList<>();
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))) {
String line;
while ((line = reader.readLine()) != null) {
packages.add(line.split(" ")[0]);
}
}
return packages;
}
private boolean isPackageEssential(String pkg, Set<String> essential) {
return essential.contains(pkg) ||
pkg.startsWith("openjdk") ||
pkg.startsWith("ca-certificates") ||
pkg.contains("libc") ||
pkg.contains("ssl");
}
private long parseMemoryString(String memory) {
memory = memory.toUpperCase();
long multiplier = 1;
if (memory.endsWith("G")) {
multiplier = 1024 * 1024 * 1024;
memory = memory.substring(0, memory.length() - 1);
} else if (memory.endsWith("M")) {
multiplier = 1024 * 1024;
memory = memory.substring(0, memory.length() - 1);
} else if (memory.endsWith("K")) {
multiplier = 1024;
memory = memory.substring(0, memory.length() - 1);
}
return Long.parseLong(memory) * multiplier;
}
private void configureAppArmor() throws IOException {
// Check if AppArmor is available
if (Files.exists(Path.of("/sys/module/apparmor/parameters/enabled"))) {
String enabled = Files.readString(
Path.of("/sys/module/apparmor/parameters/enabled")).trim();
if ("Y".equals(enabled)) {
// Load AppArmor profile for Java
loadAppArmorProfile();
}
}
}
private void loadAppArmorProfile() throws IOException {
String appArmorProfile = """
#include <tunables/global>
profile java-app flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/nameservice>
# Java runtime
/usr/lib/jvm/** r,
/opt/java/** r,
# Application files
/app/** rwk,
# Network
network inet tcp,
network inet udp,
network inet6 tcp,
network inet6 udp,
# Deny dangerous operations
deny @{PROC}/kcore r,
deny /dev/mem r,
deny /dev/kmem r,
# Capabilities
capability setuid,
capability setgid,
capability net_bind_service,
# Signal handling
signal (receive) peer=java-app,
# Pseudo filesystems
/proc/[0-9]*/stat r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
}
""";
Path profilePath = Path.of("/etc/apparmor.d/java-app");
Files.writeString(profilePath, appArmorProfile);
// Load the profile
ProcessBuilder pb = new ProcessBuilder("apparmor_parser", "-r", profilePath.toString());
Process process = pb.start();
logger.info("AppArmor profile loaded for Java application");
}
private void configureSELinux() {
// SELinux configuration would go here
// Alpine typically doesn't use SELinux by default
}
private KernelHardening checkKernelHardening() throws IOException {
KernelHardening hardening = new KernelHardening();
hardening.setKernelVersion(Files.readString(Path.of("/proc/version")).trim());
// Check various kernel security features
hardening.setPaXEnabled(checkKernelFeature("pax"));
hardening.setGrsecurityEnabled(checkKernelFeature("grsec"));
hardening.setSeccompEnabled(checkKernelFeature("seccomp"));
hardening.setAppArmorEnabled(checkKernelFeature("apparmor"));
hardening.setYamaEnabled(checkKernelFeature("yama"));
return hardening;
}
private boolean checkKernelFeature(String feature) {
try {
ProcessBuilder pb = new ProcessBuilder("grep", "-q", feature, "/proc/self/status");
Process process = pb.start();
return process.waitFor() == 0;
} catch (IOException | InterruptedException e) {
return false;
}
}
// Inner classes for data transfer
public static class PermissionIssue {
private final String file;
private final String issue;
private final String recommendation;
public PermissionIssue(String file, String issue, String recommendation) {
this.file = file;
this.issue = issue;
this.recommendation = recommendation;
}
// getters
}
public static class SecurityMetrics {
private KernelHardening kernelHardening;
private ContainerIsolation containerIsolation;
private int processCount;
private List<Integer> openPorts;
private MemoryUsage memoryUsage;
// getters and setters
}
public static class KernelHardening {
private String kernelVersion;
private boolean paXEnabled;
private boolean grsecurityEnabled;
private boolean seccompEnabled;
private boolean appArmorEnabled;
private boolean yamaEnabled;
// getters and setters
}
public static class ContainerIsolation {
private boolean namespacesEnabled;
private boolean cgroupsEnabled;
private boolean capabilitiesLimited;
private boolean readOnlyRootFS;
// getters and setters
}
public static class MemoryUsage {
private long total;
private long used;
private long free;
// getters and setters
}
}
3. Dockerfile for Secure Alpine Java Image
# Multi-stage build for minimal secure image
FROM eclipse-temurin:17-jdk-alpine AS builder
# Install necessary build tools
RUN apk add --no-cache maven
WORKDIR /app
COPY . .
RUN mvn clean package -DskipTests
# Create final minimal image
FROM alpine:3.18 AS runtime
# Install minimal required packages
RUN apk add --no-cache \
# Java runtime
openjdk17-jre \
# SSL certificates
ca-certificates \
# Timezone data
tzdata \
# musl compatibility
libc6-compat \
# Security tools
busybox \
# Clean APK cache
&& rm -rf /var/cache/apk/*
# Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# Security hardening
# Disable SUID/SGID on binaries
RUN find / -xdev -type f -perm /6000 -exec chmod a-s {} \; 2>/dev/null || true
# Set secure defaults
ENV LANG=C.UTF-8 \
JAVA_HOME=/usr/lib/jvm/java-17-openjdk \
PATH=$JAVA_HOME/bin:$PATH \
# Security
MALLOC_CHECK_=3 \
MALLOC_PERTURB_=42 \
# Java security
_JAVA_OPTIONS="-Djava.security.egd=file:/dev/./urandom -XX:+UseContainerSupport" \
# Resource limits
JAVA_MAX_MEM_RATIO=75 \
JAVA_INITIAL_MEM_RATIO=25
# Copy application from builder
COPY --from=builder --chown=appuser:appgroup /app/target/*.jar /app/app.jar
# Switch to non-root user
USER appuser
# Create necessary directories with proper permissions
RUN mkdir -p /tmp/app && chmod 700 /tmp/app
# Set working directory
WORKDIR /app
# Security: Run as read-only filesystem where possible
VOLUME /tmp
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD java -cp /app/app.jar com.security.HealthCheck || exit 1
# Security: Use exec form of ENTRYPOINT
ENTRYPOINT ["java", "-jar", "/app/app.jar"]
# Security: Default command arguments
CMD ["--spring.profiles.active=prod"]
4. Security Scanner Integration
import org.springframework.stereotype.Service;
import java.io.*;
import java.util.*;
@Service
public class ContainerSecurityScanner {
/**
* Scan container for vulnerabilities using Trivy
*/
public ScanResult scanContainer(String imageName) throws IOException, InterruptedException {
ScanResult result = new ScanResult();
// Run trivy scan
ProcessBuilder pb = new ProcessBuilder(
"trivy", "image",
"--format", "json",
"--severity", "CRITICAL,HIGH",
"--no-progress",
imageName
);
Process process = pb.start();
String output = new String(process.getInputStream().readAllBytes());
String errors = new String(process.getErrorStream().readAllBytes());
int exitCode = process.waitFor();
if (exitCode == 0) {
result = parseTrivyOutput(output);
} else {
result.setScanFailed(true);
result.setErrorMessage(errors);
}
return result;
}
/**
* Check for outdated packages
*/
public List<PackageUpdate> checkForUpdates() throws IOException, InterruptedException {
List<PackageUpdate> updates = new ArrayList<>();
// Get upgradable packages
ProcessBuilder pb = new ProcessBuilder("apk", "upgrade", "--simulate");
Process process = pb.start();
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))) {
String line;
while ((line = reader.readLine()) != null) {
if (line.contains("Upgrading")) {
// Parse package update information
PackageUpdate update = parsePackageUpdate(line);
if (update != null) {
updates.add(update);
}
}
}
}
return updates;
}
/**
* Scan for secrets in the container
*/
public List<SecretFinding> scanForSecrets() throws IOException {
List<SecretFinding> findings = new ArrayList<>();
// Use detect-secrets or similar tool
ProcessBuilder pb = new ProcessBuilder(
"find", "/", "-type", "f",
"-name", "*.properties",
"-o", "-name", "*.yml",
"-o", "-name", "*.yaml",
"-o", "-name", "*.json",
"-o", "-name", "*.txt"
);
Process process = pb.start();
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))) {
String filePath;
while ((filePath = reader.readLine()) != null) {
checkFileForSecrets(Path.of(filePath), findings);
}
}
return findings;
}
/**
* Check container configuration against CIS benchmarks
*/
public CISCompliance checkCISCompliance() {
CISCompliance compliance = new CISCompliance();
// Check various CIS benchmarks
compliance.setDockerDaemonConfiguration(checkDockerDaemonConfig());
compliance.setContainerRuntime(checkContainerRuntime());
compliance.setHostConfiguration(checkHostConfiguration());
return compliance;
}
private ScanResult parseTrivyOutput(String jsonOutput) {
// Parse Trivy JSON output
ScanResult result = new ScanResult();
// Implementation would use Jackson or similar
return result;
}
private PackageUpdate parsePackageUpdate(String line) {
// Parse APK upgrade output line
return null;
}
private void checkFileForSecrets(Path filePath, List<SecretFinding> findings) {
try {
String content = Files.readString(filePath);
// Check for common secret patterns
checkForPattern(content, "password\\s*[:=]\\s*['\"]?[^\\s'\"]+['\"]?",
filePath, "Password in plain text", findings);
checkForPattern(content, "api[_-]?key\\s*[:=]\\s*['\"]?[^\\s'\"]+['\"]?",
filePath, "API key in plain text", findings);
checkForPattern(content, "secret[_-]?key\\s*[:=]\\s*['\"]?[^\\s'\"]+['\"]?",
filePath, "Secret key in plain text", findings);
} catch (IOException e) {
// Skip files that can't be read
}
}
private void checkForPattern(String content, String pattern,
Path filePath, String findingType,
List<SecretFinding> findings) {
if (content.matches("(?s).*" + pattern + ".*")) {
findings.add(new SecretFinding(
filePath.toString(),
findingType,
"Consider using environment variables or secrets manager"
));
}
}
// Inner classes
public static class ScanResult {
private boolean scanFailed;
private String errorMessage;
private List<Vulnerability> vulnerabilities;
private int criticalCount;
private int highCount;
private int mediumCount;
// getters and setters
}
public static class Vulnerability {
private String vulnerabilityID;
private String severity;
private String packageName;
private String installedVersion;
private String fixedVersion;
private String description;
// getters and setters
}
public static class PackageUpdate {
private String packageName;
private String currentVersion;
private String availableVersion;
private String repository;
// getters and setters
}
public static class SecretFinding {
private final String filePath;
private final String secretType;
private final String recommendation;
// constructor and getters
}
public static class CISCompliance {
private DockerDaemonConfig dockerDaemonConfiguration;
private ContainerRuntimeConfig containerRuntime;
private HostConfig hostConfiguration;
private int complianceScore;
// getters and setters
}
}
5. JVM Security Configuration for Alpine
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Configuration;
import java.util.*;
@Configuration
@ConfigurationProperties(prefix = "jvm.security")
public class JVMSecurityConfig {
private List<String> disabledAlgorithms = Arrays.asList(
"MD2", "MD5", "SHA1",
"DSA", "RSA keySize < 2048",
"DH keySize < 2048",
"EC keySize < 224"
);
private List<String> jceProviders = Arrays.asList(
"org.bouncycastle.jce.provider.BouncyCastleProvider"
);
private boolean enableSecurityManager = false;
private boolean enablePolicyRestrictions = true;
private String policyFile = "/app/security/java.policy";
private SSLSettings ssl = new SSLSettings();
private CryptoSettings crypto = new CryptoSettings();
public void configureJVM() {
// Configure disabled algorithms
System.setProperty("jdk.tls.disabledAlgorithms",
String.join(", ", disabledAlgorithms));
System.setProperty("jdk.certpath.disabledAlgorithms",
String.join(", ", disabledAlgorithms));
// Configure security providers
configureSecurityProviders();
// Configure SSL
configureSSL();
// Configure crypto
configureCrypto();
// Configure SecurityManager if enabled
if (enableSecurityManager) {
configureSecurityManager();
}
}
private void configureSecurityProviders() {
// Add BouncyCastle as security provider
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
}
private void configureSSL() {
System.setProperty("jdk.tls.ephemeralDHKeySize", String.valueOf(ssl.getEphemeralDHKeySize()));
System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation",
String.valueOf(ssl.isRejectClientRenegotiation()));
if (ssl.getProtocols() != null) {
System.setProperty("jdk.tls.client.protocols", String.join(", ", ssl.getProtocols()));
System.setProperty("jdk.tls.server.protocols", String.join(", ", ssl.getProtocols()));
}
}
private void configureCrypto() {
System.setProperty("java.security.egd", crypto.getEntropySource());
if (crypto.getRandomAlgorithm() != null) {
System.setProperty("java.security.secureRandomAlgorithm", crypto.getRandomAlgorithm());
}
}
private void configureSecurityManager() {
if (enablePolicyRestrictions && policyFile != null) {
System.setProperty("java.security.policy", policyFile);
}
// Note: SecurityManager is deprecated in newer Java versions
// Consider using Java Modules (JPMS) for isolation instead
}
// Getters and setters
public List<String> getDisabledAlgorithms() { return disabledAlgorithms; }
public void setDisabledAlgorithms(List<String> disabledAlgorithms) {
this.disabledAlgorithms = disabledAlgorithms;
}
// Inner configuration classes
public static class SSLSettings {
private List<String> protocols = Arrays.asList("TLSv1.2", "TLSv1.3");
private int ephemeralDHKeySize = 2048;
private boolean rejectClientRenegotiation = true;
// getters and setters
}
public static class CryptoSettings {
private String entropySource = "file:/dev/./urandom";
private String randomAlgorithm = "NativePRNGNonBlocking";
// getters and setters
}
}
6. Resource Isolation and Monitoring
import com.sun.management.OperatingSystemMXBean;
import java.lang.management.*;
@Service
public class ResourceMonitor {
private final OperatingSystemMXBean osBean;
private final MemoryMXBean memoryBean;
private final ThreadMXBean threadBean;
public ResourceMonitor() {
this.osBean = (OperatingSystemMXBean) ManagementFactory.getOperatingSystemMXBean();
this.memoryBean = ManagementFactory.getMemoryMXBean();
this.threadBean = ManagementFactory.getThreadMXBean();
}
/**
* Monitor container resource usage
*/
public ContainerMetrics getContainerMetrics() {
ContainerMetrics metrics = new ContainerMetrics();
// CPU usage
metrics.setSystemCpuLoad(osBean.getSystemCpuLoad());
metrics.setProcessCpuLoad(osBean.getProcessCpuLoad());
metrics.setAvailableProcessors(osBean.getAvailableProcessors());
// Memory usage
MemoryUsage heapUsage = memoryBean.getHeapMemoryUsage();
MemoryUsage nonHeapUsage = memoryBean.getNonHeapMemoryUsage();
metrics.setHeapUsed(heapUsage.getUsed());
metrics.setHeapMax(heapUsage.getMax());
metrics.setNonHeapUsed(nonHeapUsage.getUsed());
// Thread information
metrics.setThreadCount(threadBean.getThreadCount());
metrics.setPeakThreadCount(threadBean.getPeakThreadCount());
// Container-specific metrics (if running in container)
metrics.setContainerMemory(getContainerMemoryLimit());
metrics.setContainerCpuQuota(getContainerCpuQuota());
return metrics;
}
/**
* Detect resource exhaustion
*/
public ResourceAlert checkResourceLimits() {
ResourceAlert alert = new ResourceAlert();
ContainerMetrics metrics = getContainerMetrics();
// Check memory
if (metrics.getHeapUsed() > metrics.getHeapMax() * 0.9) {
alert.addIssue("Heap memory usage > 90%", "Consider increasing heap size");
}
// Check CPU
if (metrics.getProcessCpuLoad() > 0.8) {
alert.addIssue("CPU usage > 80%", "Consider optimizing or scaling");
}
// Check threads
if (metrics.getThreadCount() > 1000) {
alert.addIssue("Thread count > 1000", "Check for thread leaks");
}
return alert;
}
/**
* Get cgroup memory limit
*/
private long getContainerMemoryLimit() {
try {
String memoryLimit = Files.readString(Path.of("/sys/fs/cgroup/memory/memory.limit_in_bytes"));
return Long.parseLong(memoryLimit.trim());
} catch (Exception e) {
return -1; // Not running in container or cgroup v2
}
}
/**
* Get cgroup CPU quota
*/
private double getContainerCpuQuota() {
try {
String cpuQuota = Files.readString(Path.of("/sys/fs/cgroup/cpu/cpu.cfs_quota_us"));
String cpuPeriod = Files.readString(Path.of("/sys/fs/cgroup/cpu/cpu.cfs_period_us"));
long quota = Long.parseLong(cpuQuota.trim());
long period = Long.parseLong(cpuPeriod.trim());
if (quota > 0 && period > 0) {
return (double) quota / period;
}
} catch (Exception e) {
// Not running in container
}
return -1;
}
// Inner classes
public static class ContainerMetrics {
private double systemCpuLoad;
private double processCpuLoad;
private int availableProcessors;
private long heapUsed;
private long heapMax;
private long nonHeapUsed;
private int threadCount;
private int peakThreadCount;
private long containerMemory;
private double containerCpuQuota;
// getters and setters
}
public static class ResourceAlert {
private List<String> issues = new ArrayList<>();
private List<String> recommendations = new ArrayList<>();
public void addIssue(String issue, String recommendation) {
issues.add(issue);
recommendations.add(recommendation);
}
public boolean hasIssues() {
return !issues.isEmpty();
}
// getters
}
}
7. Network Security Configuration
import org.springframework.stereotype.Service;
import java.net.*;
import java.util.*;
@Service
public class NetworkSecurityService {
/**
* Configure network security settings
*/
public void configureNetworkSecurity() {
// Set secure socket properties
System.setProperty("jdk.tls.ephemeralDHKeySize", "2048");
System.setProperty("jdk.tls.rejectClientInitiatedRenegotiation", "true");
// Disable insecure protocols
System.setProperty("jdk.tls.disabledAlgorithms",
"SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, " +
"EC keySize < 224, 3DES_EDE_CBC, anon, NULL");
// Configure DNS cache
System.setProperty("networkaddress.cache.ttl", "30");
System.setProperty("networkaddress.cache.negative.ttl", "10");
}
/**
* Validate network configuration
*/
public NetworkValidation validateNetworkConfiguration() {
NetworkValidation validation = new NetworkValidation();
try {
// Check DNS resolution
validation.setDnsWorking(checkDNSResolution());
// Check network connectivity
validation.setNetworkReachable(checkNetworkConnectivity());
// Check listening ports
validation.setOpenPorts(getListeningPorts());
// Check firewall rules
validation.setFirewallEnabled(checkFirewall());
} catch (Exception e) {
validation.setValidationFailed(true);
validation.setErrorMessage(e.getMessage());
}
return validation;
}
/**
* Configure HTTP client security
*/
public void configureHttpClientSecurity() {
// Set HTTP client security properties
System.setProperty("http.agent", "SecureJavaApp");
System.setProperty("jdk.httpclient.allowRestrictedHeaders", "connection,content-length,expect,host,upgrade");
// Configure connection pool
System.setProperty("jdk.httpclient.connectionPoolSize", "10");
System.setProperty("jdk.httpclient.keepalive.timeout", "30");
}
private boolean checkDNSResolution() {
try {
InetAddress.getByName("google.com");
return true;
} catch (UnknownHostException e) {
return false;
}
}
private boolean checkNetworkConnectivity() {
try (Socket socket = new Socket()) {
socket.connect(new InetSocketAddress("8.8.8.8", 53), 5000);
return true;
} catch (IOException e) {
return false;
}
}
private List<Integer> getListeningPorts() throws IOException {
List<Integer> ports = new ArrayList<>();
// Use netstat or ss to find listening ports
ProcessBuilder pb = new ProcessBuilder("ss", "-tln");
Process process = pb.start();
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))) {
String line;
reader.readLine(); // Skip header
while ((line = reader.readLine()) != null) {
String[] parts = line.split("\\s+");
if (parts.length >= 4) {
String localAddress = parts[3];
if (localAddress.contains(":")) {
String portStr = localAddress.substring(localAddress.lastIndexOf(':') + 1);
if (!portStr.equals("*")) {
ports.add(Integer.parseInt(portStr));
}
}
}
}
}
return ports;
}
private boolean checkFirewall() {
try {
// Check if iptables/nftables is running
ProcessBuilder pb = new ProcessBuilder("sh", "-c",
"iptables -L 2>/dev/null || nft list ruleset 2>/dev/null");
Process process = pb.start();
return process.waitFor() == 0;
} catch (IOException | InterruptedException e) {
return false;
}
}
public static class NetworkValidation {
private boolean validationFailed;
private String errorMessage;
private boolean dnsWorking;
private boolean networkReachable;
private List<Integer> openPorts;
private boolean firewallEnabled;
// getters and setters
}
}
8. Secure Logging Configuration
import org.springframework.stereotype.Service;
import java.util.logging.*;
@Service
public class SecureLoggingService {
/**
* Configure secure logging for Alpine
*/
public void configureSecureLogging() {
// Clear existing handlers
Logger rootLogger = Logger.getLogger("");
for (Handler handler : rootLogger.getHandlers()) {
rootLogger.removeHandler(handler);
}
// Create JSON formatter for structured logging
Handler jsonHandler = new ConsoleHandler();
jsonHandler.setFormatter(new JSONFormatter());
jsonHandler.setLevel(Level.INFO);
// Add security filter
jsonHandler.setFilter(new SecurityFilter());
rootLogger.addHandler(jsonHandler);
// Configure log levels
rootLogger.setLevel(Level.INFO);
Logger.getLogger("org.springframework").setLevel(Level.WARN);
Logger.getLogger("org.hibernate").setLevel(Level.WARN);
// Disable sensitive data logging
System.setProperty("log4j2.formatMsgNoLookups", "true");
}
/**
* JSON Formatter for structured logging
*/
private static class JSONFormatter extends Formatter {
@Override
public String format(LogRecord record) {
return String.format(
"{\"timestamp\": \"%s\", \"level\": \"%s\", \"logger\": \"%s\", " +
"\"message\": \"%s\", \"thread\": \"%s\"}%n",
new java.util.Date(record.getMillis()),
record.getLevel(),
record.getLoggerName(),
formatMessage(record).replace("\"", "\\\""),
record.getThreadID()
);
}
}
/**
* Security filter to prevent logging sensitive data
*/
private static class SecurityFilter implements Filter {
private static final Set<String> SENSITIVE_PATTERNS = Set.of(
"password", "secret", "key", "token", "auth", "credential"
);
@Override
public boolean isLoggable(LogRecord record) {
String message = record.getMessage().toLowerCase();
// Check for sensitive data patterns
for (String pattern : SENSITIVE_PATTERNS) {
if (message.contains(pattern)) {
// Redact sensitive data
record.setMessage("[REDACTED: Contains sensitive data]");
break;
}
}
return true;
}
}
/**
* Configure log rotation and retention
*/
public void configureLogRotation() {
try {
// Create log directory with secure permissions
Path logDir = Path.of("/var/log/app");
Files.createDirectories(logDir);
Files.setPosixFilePermissions(logDir, Set.of(
PosixFilePermission.OWNER_READ,
PosixFilePermission.OWNER_WRITE,
PosixFilePermission.OWNER_EXECUTE,
PosixFilePermission.GROUP_READ,
PosixFilePermission.GROUP_EXECUTE
));
// Configure logrotate (if available)
configureLogrotate();
} catch (IOException e) {
logger.warn("Failed to configure log rotation: {}", e.getMessage());
}
}
private void configureLogrotate() throws IOException {
String logrotateConfig = """
/var/log/app/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 644 appuser appgroup
postrotate
kill -HUP `cat /var/run/app.pid 2>/dev/null` 2>/dev/null || true
endscript
}
""";
Files.writeString(Path.of("/etc/logrotate.d/app"), logrotateConfig);
}
}
9. CI/CD Security Pipeline
# .github/workflows/alpine-security-scan.yml
name: Alpine Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
security-scan:
runs-on: ubuntu-latest
container:
image: alpine:3.18
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install security tools
run: |
apk add --no-cache \
trivy \
hadolint \
git-secrets \
checksec \
lynis
- name: Scan Dockerfile
run: |
hadolint Dockerfile
- name: Scan for secrets
run: |
git secrets --scan
- name: Check binary security
run: |
# Build application
./mvnw clean package
# Check compiled binaries
checksec --file=target/*.jar
- name: Container vulnerability scan
run: |
# Build test image
docker build -t test-image:scan .
# Scan with Trivy
trivy image --severity HIGH,CRITICAL test-image:scan
- name: Lynis system audit
run: |
lynis audit system --quick
build-secure-image:
runs-on: ubuntu-latest
needs: security-scan
if: success()
steps:
- name: Build and push secure image
run: |
docker build \
--tag ${{ secrets.REGISTRY }}/app:${{ github.sha }} \
--tag ${{ secrets.REGISTRY }}/app:latest \
--file Dockerfile.alpine-secure .
docker push ${{ secrets.REGISTRY }}/app:${{ github.sha }}
docker push ${{ secrets.REGISTRY }}/app:latest
Best Practices Summary
1. Minimal Base Image
# Use specific version, not latest FROM alpine:3.18 # Remove package manager after installation RUN apk add --no-cache openjdk17-jre && \ rm -rf /var/cache/apk/*
2. Non-root User
// Always run as non-root user
public void enforceNonRoot() {
String user = System.getProperty("user.name");
if ("root".equals(user)) {
throw new SecurityException("Application must not run as root");
}
}
3. Resource Limits
# docker-compose.yml services: app: deploy: resources: limits: memory: 512M cpus: '0.5' security_opt: - no-new-privileges:true read_only: true tmpfs: - /tmp:rw,noexec,nosuid
4. Regular Updates
# Weekly security updates apk upgrade --no-cache
Conclusion
This comprehensive Alpine Linux security implementation for Java provides:
- musl libc compatibility and optimization
- Container security hardening with seccomp, AppArmor
- Minimal attack surface through package reduction
- Resource isolation with cgroups and namespaces
- Security monitoring and vulnerability scanning
- Secure logging with data redaction
- CI/CD integration for automated security checks
Key benefits:
- Smaller image size (~40MB vs 200MB+ for standard Linux)
- Reduced vulnerability surface
- Improved performance for containerized environments
- Better security posture out of the box
- Compliance readiness for security standards
This setup ensures Java applications run securely in Alpine Linux containers while maintaining performance and compatibility.
Advanced Java Container Security, Sandboxing & Trusted Runtime Environments
https://macronepal.com/blog/sandboxing-java-applications-implementing-landlock-lsm-for-enhanced-container-security/
Explains using Linux Landlock LSM to sandbox Java applications by restricting file system and resource access without root privileges, improving application-level isolation and reducing attack surface.
https://macronepal.com/blog/gvisor-sandbox-integration-in-java-complete-guide/
Explains integrating gVisor with Java to provide a user-space kernel sandbox that intercepts system calls and isolates applications from the host operating system for stronger security.
https://macronepal.com/blog/selinux-for-java-mandatory-access-control-for-jvm-applications/
Explains how SELinux enforces Mandatory Access Control (MAC) policies on Java applications, strictly limiting what files, processes, and network resources the JVM can access.
https://macronepal.com/java/a-comprehensive-guide-to-intel-sgx-sdk-integration-in-java/
Explains Intel SGX integration in Java, allowing sensitive code and data to run inside secure hardware enclaves that remain protected even if the OS is compromised.
https://macronepal.com/blog/building-a-microvm-runtime-with-aws-firecracker-in-java-a-comprehensive-guide/
Explains using AWS Firecracker microVMs with Java to run workloads in lightweight virtual machines that provide strong isolation with near-container performance efficiency.
https://macronepal.com/blog/enforcing-mandatory-access-control-implementing-apparmor-for-java-applications/
Explains AppArmor security profiles for Java applications, enforcing rules that restrict file access, execution rights, and system-level permissions.
https://macronepal.com/blog/rootless-containers-in-java-secure-container-operations-without-root/
Explains running Java applications in rootless containers using Linux user namespaces so containers operate securely without requiring root privileges.
https://macronepal.com/blog/unlocking-container-security-harnessing-user-namespaces-in-java/
Explains Linux user namespaces, which isolate user and group IDs inside containers to improve privilege separation and enhance container security for Java workloads.
https://macronepal.com/blog/secure-bootstrapping-in-java-comprehensive-trust-establishment-framework/
Explains secure bootstrapping in Java, focusing on how systems establish trust during startup using secure key management, identity verification, and trusted configuration loading.
https://macronepal.com/blog/securing-java-applications-with-chainguard-wolfi-a-comprehensive-guide-2/
Explains using Chainguard/Wolfi minimal container images to secure Java applications by reducing unnecessary packages, minimizing vulnerabilities, and providing a hardened runtime environment.