Zircolite/Dockerfile at master · wagga40/Zircolite · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
ARG PYTHON_VERSION="3.14-slim"

FROM python:${PYTHON_VERSION}

ARG ZIRCOLITE_INSTALL_PREFIX="/opt"
ARG ZIRCOLITE_REQUIREMENTS_FILE="requirements.txt"

LABEL org.opencontainers.image.title="Zircolite" \
      org.opencontainers.image.description="A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs" \
      org.opencontainers.image.authors="wagga40" \
      org.opencontainers.image.source="https://github.com/wagga40/Zircolite"

WORKDIR ${ZIRCOLITE_INSTALL_PREFIX}/zircolite

# Copy and install Python dependencies
COPY ${ZIRCOLITE_REQUIREMENTS_FILE} .
RUN pip install --no-cache-dir -r ${ZIRCOLITE_REQUIREMENTS_FILE} && \
    rm -rf ~/.cache/pip

# Copy static assets
COPY templates/ templates/
COPY config/ config/
COPY rules/ rules/
COPY gui/ gui/

# Copy application code
COPY zircolite/ zircolite/
COPY zircolite.py .

# Set permissions and update rules in single layer
RUN chmod 0755 zircolite.py && \
    python3 zircolite.py -U

# Run as a non-root user. chown happens after -U so the unprivileged user
# owns the refreshed rulesets and can read every asset under the install prefix.
RUN groupadd --system zircolite && \
    useradd --system --gid zircolite --home-dir ${ZIRCOLITE_INSTALL_PREFIX}/zircolite --shell /usr/sbin/nologin zircolite && \
    chown -R zircolite:zircolite ${ZIRCOLITE_INSTALL_PREFIX}/zircolite
USER zircolite

ENTRYPOINT ["python3", "zircolite.py"]
CMD ["--help"]