I’m been listening to the Fedora podcast and it seems like the OCI images are now getting some serious attention.
Anyone using the Fedora base image to make custom containers to deploy Nextcloud, Caddy and other services? My thought is that Fedora focuses on security so in theory software packaged with it will be secure and properly configured by default. Having Fedora in the middle will also theoretically protect against hostile changes upstream. The downside is that the image is a little big but I think it is manageable.
Anyone else use Fedora?
Alpine isn’t exactly fortified either. It needs some work too. Ideally you’d use a deblobbed kernel with KSPP and use MAC, harden permissions, install hardened_malloc. I don’t recall if there’s CIS benchmarks or STIGs for Alpine but those are very important too. These are my basic steps for hardening anything. But Alpine has the advantage of being lean from the start. Ideally you’d compile your packages with hardened flags like on Gentoo but for a regular container and VM host that might be too much (or not - depends on your appetite for this stuff).