Hardening fixes

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh
+# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh
 
 # ---/Dockerfile---
 # The NetAlertX Dockerfile has 3 stages:
@@ -103,7 +103,6 @@ ENV PORT=20211
 ENV NETALERTX_DEBUG=0
 ENV VENDORSPATH=/app/back/ieee-oui.txt
 ENV VENDORSPATH_NEWEST=/services/run/tmp/ieee-oui.txt
-ENV PYTHONPATHPATH="${NETALERTX_APP}:${VIRTUAL_ENV}/bin:${PATH}"
 ENV ENVIRONMENT=alpine
 ENV READ_ONLY_USER=readonly READ_ONLY_GROUP=readonly
 ENV NETALERTX_USER=netalertx NETALERTX_GROUP=netalertx
@@ -146,13 +145,14 @@ RUN apk add libcap && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/arp-scan && \
     setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/bin/nbtscan && \
     setcap cap_net_raw,cap_net_admin+eip /usr/bin/traceroute && \
-    setcap cap_net_raw,cap_net_admin+eip ${VIRTUAL_ENV_BIN}/scapy && \
+    setcap cap_net_raw,cap_net_admin+eip $(readlink -f ${VIRTUAL_ENV_BIN}/python) && \
     /bin/sh /build/init-nginx.sh && \
     /bin/sh /build/init-php-fpm.sh && \
     /bin/sh /build/init-crond.sh && \
     /bin/sh /build/init-backend.sh && \
     rm -rf /build && \
-    apk del libcap
+    apk del libcap && \
+    date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
 
 
 ENTRYPOINT ["/bin/sh","/entrypoint.sh"]
@@ -185,6 +185,9 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
     chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
     chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    for dir in ${READ_WRITE_FOLDERS}; do \
+        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
+    done && \
     apk del apk-tools && \
     rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
@@ -210,27 +213,28 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app
 
-ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
+ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages:/usr/lib/python3.12/site-packages
 ENV PATH=/services:${PATH}
 ENV PHP_INI_SCAN_DIR=/services/config/php/conf.d:/etc/php83/conf.d
 ENV LISTEN_ADDR=0.0.0.0
 ENV PORT=20211
 ENV NETALERTX_DEBUG=1
 ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
-
+USER root
 # Install common tools, create user, and set up sudo
-RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov fish shfmt sudo
+RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
+    pytest-cov fish shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx
+
 
 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
     cp -a /usr/lib/php83/modules/. /services/php/modules/ && \
     echo "${NETALERTX_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-# Install debugpy in the virtualenv if present, otherwise into system python3
-RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' && \
-    mkdir /workspaces && \
+RUN mkdir /workspaces && \
     install -d -o netalertx -g netalertx -m 777 /services/run/logs && \
     install -d -o netalertx -g netalertx -m 777 /app/run/tmp/client_body && \
     sed -i -e 's|:/app:|:/workspaces:|' /etc/passwd && \
-    python -m pip install -U pytest pytest-cov
-
+    find /opt/venv -type d -exec chmod o+rwx {} \;
+
+USER netalertx
 ENTRYPOINT ["/bin/sh","-c","sleep infinity"]

.devcontainer/devcontainer.json

@@ -23,6 +23,9 @@
     // even within this container and connect to them as needed.
     // "--network=host",
   ],
+  "mounts": [ 
+    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" //used for testing various conditions in docker
+  ],
   // ATTENTION: If running with --network=host, COMMENT `forwardPorts` OR ELSE THERE WILL BE NO WEBUI!
   "forwardPorts": [20211, 20212, 5678],
   "portsAttributes": { // the ports we care about
@@ -40,8 +43,13 @@
     }
   },
 
-  "postStartCommand": "${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
-
+  "postCreateCommand": {
+      "Install Pip Requirements": "/opt/venv/bin/pip3 install pytest docker debugpy"
+  },
+  "postStartCommand": {
+      "Start Environment":"${containerWorkspaceFolder}/.devcontainer/scripts/setup.sh",
+      "Build test-container":"echo building netalertx-test container in background. check /tmp/build.log for progress. && setsid docker buildx build -t netalertx-test . > /tmp/build.log 2>&1 &"
+  },
   "customizations": {
     "vscode": {
       "extensions": [

.devcontainer/resources/devcontainer-Dockerfile

@@ -7,27 +7,28 @@
 FROM runner AS netalertx-devcontainer
 ENV INSTALL_DIR=/app
 
-ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages
+ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages:/usr/lib/python3.12/site-packages
 ENV PATH=/services:${PATH}
 ENV PHP_INI_SCAN_DIR=/services/config/php/conf.d:/etc/php83/conf.d
 ENV LISTEN_ADDR=0.0.0.0
 ENV PORT=20211
 ENV NETALERTX_DEBUG=1
 ENV PYDEVD_DISABLE_FILE_VALIDATION=1
 COPY .devcontainer/resources/devcontainer-overlay/ /
-
+USER root
 # Install common tools, create user, and set up sudo
-RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov fish shfmt github-cli
+RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest \
+    pytest-cov fish shfmt github-cli py3-yaml py3-docker-py docker-cli docker-cli-buildx
+
 
 RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \
     cp -a /usr/lib/php83/modules/. /services/php/modules/ && \
     echo "${NETALERTX_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-# Install debugpy in the virtualenv if present, otherwise into system python3
-RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || (python3 -m pip install --no-cache-dir debugpy) || true' && \
-    mkdir /workspaces && \
+RUN mkdir /workspaces && \
     install -d -o netalertx -g netalertx -m 777 /services/run/logs && \
     install -d -o netalertx -g netalertx -m 777 /app/run/tmp/client_body && \
     sed -i -e 's|:/app:|:/workspaces:|' /etc/passwd && \
-    python -m pip install -U pytest pytest-cov
-
+    find /opt/venv -type d -exec chmod o+rwx {} \;
+
+USER netalertx
 ENTRYPOINT ["/bin/sh","-c","sleep infinity"]

.devcontainer/scripts/setup.sh

@@ -25,11 +25,52 @@ export PORT=20211
 export SOURCE_DIR="/workspaces/NetAlertX"
 
 
+ensure_docker_socket_access() {
+  local socket="/var/run/docker.sock"
+  if [ ! -S "${socket}" ]; then
+    echo "docker socket not present; skipping docker group configuration"
+    return
+  fi
+
+  local sock_gid
+  sock_gid=$(stat -c '%g' "${socket}" 2>/dev/null || true)
+  if [ -z "${sock_gid}" ]; then
+    echo "unable to determine docker socket gid; skipping docker group configuration"
+    return
+  fi
+
+  local group_entry=""
+  if command -v getent >/dev/null 2>&1; then
+    group_entry=$(getent group "${sock_gid}" 2>/dev/null || true)
+  else
+    group_entry=$(grep -E ":${sock_gid}:" /etc/group 2>/dev/null || true)
+  fi
+
+  local group_name=""
+  if [ -n "${group_entry}" ]; then
+    group_name=$(echo "${group_entry}" | cut -d: -f1)
+  else
+    group_name="docker-host"
+    sudo addgroup -g "${sock_gid}" "${group_name}" 2>/dev/null || group_name=$(grep -E ":${sock_gid}:" /etc/group | head -n1 | cut -d: -f1)
+  fi
+
+  if [ -z "${group_name}" ]; then
+    echo "failed to resolve group for docker socket gid ${sock_gid}; skipping docker group configuration"
+    return
+  fi
+
+  if ! id -nG netalertx | tr ' ' '\n' | grep -qx "${group_name}"; then
+    sudo addgroup netalertx "${group_name}" 2>/dev/null || true
+  fi
+}
+
+
 main() {
     echo "=== NetAlertX Development Container Setup ==="
     killall php-fpm83 nginx crond python3 2>/dev/null
     sleep 1
     echo "Setting up ${SOURCE_DIR}..."
+    ensure_docker_socket_access
     sudo chown $(id -u):$(id -g) /workspaces
     sudo chmod 755 /workspaces
     configure_source
@@ -102,6 +143,12 @@ configure_source() {
         killall python3 &>/dev/null
         sleep 0.2
     done
+	sudo chmod 777 /opt/venv/lib/python3.12/site-packages/ && \
+  sudo chmod 005 /opt/venv/lib/python3.12/site-packages/
+	sudo chmod 666 /var/run/docker.sock
+
+	echo "      -> Updating build timestamp"
+	date +%s > ${NETALERTX_FRONT}/buildtimestamp.txt
 
 }
 

.gitignore

@@ -1,3 +1,4 @@
+.coverage
 .vscode
 .dotnet
 .vscode-server

.vscode/tasks.json

@@ -160,5 +160,26 @@
         "color": "terminal.ansiBlue"
       }
     }
+    ,
+    {
+      "label": "[Any] Build Unit Test Docker image",
+      "type": "shell",
+      "command": "docker buildx build -t netalertx-test . && echo '🧪 Unit Test Docker image built: netalertx-test'",
+      "presentation": {
+        "echo": true,
+        "reveal": "always",
+        "panel": "shared",
+        "showReuseMessage": false
+      },
+      "problemMatcher": [],
+      "group": {
+        "kind": "build",
+        "isDefault": false
+      },
+      "icon": {
+        "id": "beaker",
+        "color": "terminal.ansiBlue"
+      }
+    }
   ]
 }

Dockerfile

@@ -182,6 +182,9 @@ RUN chown -R ${READ_ONLY_USER}:${READ_ONLY_GROUP} ${READ_ONLY_FOLDERS} && \
     find ${READ_WRITE_FOLDERS} -type d -exec chmod 700 {} + && \
     chown ${READ_ONLY_USER}:${READ_ONLY_GROUP} /entrypoint.sh /opt /opt/venv && \
     chmod 005 /entrypoint.sh ${SYSTEM_SERVICES}/*.sh /app /opt /opt/venv && \
+    for dir in ${READ_WRITE_FOLDERS}; do \
+        install -d -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} -m 700 "$dir"; \
+    done && \
     apk del apk-tools && \
     rm -Rf /var /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
     /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \

README.md

@@ -10,17 +10,25 @@ Get visibility of what's going on on your WIFI/LAN network and enable presence d
 
 ## 📋 Table of Contents
 
-- [Features](#-features)
-- [Documentation](#-documentation)
-- [Quick Start](#-quick-start)
-- [Alternative Apps](#-other-alternative-apps)
-- [Security & Privacy](#-security--privacy)
-- [FAQ](#-faq)
-- [Known Issues](#-known-issues)
-- [Donations](#-donations)
-- [Contributors](#-contributors)
-- [Translations](#-translations)
-- [License](#license)
+- [NetAlertX - Network, presence scanner and alert framework](#netalertx---network-presence-scanner-and-alert-framework)
+  - [📋 Table of Contents](#-table-of-contents)
+  - [🚀 Quick Start](#-quick-start)
+  - [📦 Features](#-features)
+    - [Scanners](#scanners)
+    - [Notification gateways](#notification-gateways)
+    - [Integrations and Plugins](#integrations-and-plugins)
+    - [Workflows](#workflows)
+  - [📚 Documentation](#-documentation)
+  - [🔐 Security \& Privacy](#-security--privacy)
+  - [❓ FAQ](#-faq)
+  - [🐞 Known Issues](#-known-issues)
+  - [📃 Everything else](#-everything-else)
+    - [📧 Get notified what's new](#-get-notified-whats-new)
+    - [🔀 Other Alternative Apps](#-other-alternative-apps)
+    - [💙 Donations](#-donations)
+    - [🏗 Contributors](#-contributors)
+    - [🌍 Translations](#-translations)
+    - [License](#license)
 
 
 ## 🚀 Quick Start
@@ -38,6 +46,14 @@ docker run -d --rm --network=host \
   ghcr.io/jokob-sk/netalertx:latest
 ```
 
+To deploy a containerized instance directly from the source repository, execute the following BASH sequence:
+```bash
+git clone https://github.com/jokob-sk/NetAlertX.git
+cd NetAlertX
+docker compose up --force-recreate --build
+# To customize: edit docker-compose.yaml and run that last command again
+```
+
 Need help configuring it? Check the [usage guide](https://github.com/jokob-sk/NetAlertX/blob/main/docs/README.md) or [full documentation](https://jokob-sk.github.io/NetAlertX/).
 
 For Home Assistant users: [Click here to add NetAlertX](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgithub.com%2Falexbelgium%2Fhassio-addons)