Feature/lab7

.github/pull_request_template.md

@@ -0,0 +1,19 @@
+## Goal
+<!-- Describe the objective of this PR. What problem are you solving or what feature are you implementing? -->
+
+## Changes
+<!-- List the main changes made in this PR -->
+- 
+- 
+- 
+
+## Testing
+<!-- Describe how you tested your changes. What scenarios did you verify? -->
+
+## Artifacts & Screenshots
+<!-- Attach any screenshots, logs, or artifacts that demonstrate the work -->
+
+## Checklist
+- [ ] Clear, descriptive PR title
+- [ ] Documentation updated if needed
+- [ ] No secrets, API keys, or large temporary files committed

labs/lab7/analysis/deployment-comparison.txt

@@ -0,0 +1,51 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT     MEM %
+juice-default      0.64%     156.6MiB / 5.786GiB   2.64%
+juice-hardened     0.63%     105.8MiB / 512MiB     20.66%
+juice-production   0.59%     92.55MiB / 512MiB     18.08%
+
+=== Security Configurations ===
+
+Container: juice-default
+User: "65532"
+CapDrop: null
+CapAdd: null
+SecurityOpt: null
+Memory: 0
+MemorySwap: 0
+NanoCpus: 0
+CpuQuota: 0
+PIDs: <no value>
+Restart: no:0
+ReadonlyRootfs: false
+
+Container: juice-hardened
+User: "65532"
+CapDrop: ["ALL"]
+CapAdd: null
+SecurityOpt: ["no-new-privileges"]
+Memory: 536870912
+MemorySwap: 1073741824
+NanoCpus: 1000000000
+CpuQuota: 0
+PIDs: <no value>
+Restart: no:0
+ReadonlyRootfs: false
+
+Container: juice-production
+User: "65532"
+CapDrop: ["ALL"]
+CapAdd: ["CAP_NET_BIND_SERVICE"]
+SecurityOpt: ["no-new-privileges","seccomp=builtin"]
+Memory: 536870912
+MemorySwap: 536870912
+NanoCpus: 1000000000
+CpuQuota: 0
+PIDs: 100
+Restart: on-failure:3
+ReadonlyRootfs: false

labs/lab7/hardening/docker-bench-results-adapted.txt

@@ -0,0 +1 @@
+Error connecting to docker daemon (does docker ps work?)

labs/lab7/hardening/docker-bench-results-stock-failure.txt

@@ -0,0 +1,4 @@
+WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
+docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/var/lib/docker/containers/5b59aaecdec190bd0c6112b69f971a288ef909b089147332a6cb6c0d9f5f80b3/hostname" to rootfs at "/etc/hostname": create mountpoint for /etc/hostname mount: make mountpoint "/etc/hostname": read-only file system
+
+Run 'docker run --help' for more information

labs/lab7/hardening/docker-bench-results-workaround.txt

@@ -0,0 +1 @@
+Error connecting to docker daemon (does docker ps work?)

labs/lab7/hardening/docker-bench-src/docker-bench-security.sh

@@ -0,0 +1,152 @@
+#!/bin/sh
+# ------------------------------------------------------------------------------
+# Docker Bench for Security
+#
+# Docker, Inc. (c) 2015-
+#
+# Checks for dozens of common best-practices around deploying Docker containers in production.
+# ------------------------------------------------------------------------------
+
+version='1.3.4'
+
+# Load dependencies
+. ./functions_lib.sh
+. ./helper_lib.sh
+
+# Setup the paths
+this_path=$(abspath "$0")       ## Path of this file including filename
+myname=$(basename "${this_path}")     ## file name of this script.
+
+readonly version
+readonly this_path
+readonly myname
+
+export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
+
+# Check for required program(s)
+req_progs='awk docker grep ss stat'
+for p in $req_progs; do
+  command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
+done
+
+# Ensure we can connect to docker daemon
+if ! docker ps -q >/dev/null 2>&1; then
+  printf "Error connecting to docker daemon (does docker ps work?)\n"
+  exit 1
+fi
+
+usage () {
+  cat <<EOF
+  usage: ${myname} [options]
+
+  -b           optional  Do not print colors
+  -h           optional  Print this help message
+  -l FILE      optional  Log output in FILE
+  -c CHECK     optional  Comma delimited list of specific check(s)
+  -e CHECK     optional  Comma delimited list of specific check(s) to exclude
+  -i INCLUDE   optional  Comma delimited list of patterns within a container name to check
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
+  -t TARGET    optional  Comma delimited list of images name to check
+EOF
+}
+
+# Get the flags
+# If you add an option here, please
+# remember to update usage() above.
+while getopts bhl:c:e:i:x:t: args
+do
+  case $args in
+  b) nocolor="nocolor";;
+  h) usage; exit 0 ;;
+  l) logger="$OPTARG" ;;
+  c) check="$OPTARG" ;;
+  e) checkexclude="$OPTARG" ;;
+  i) include="$OPTARG" ;;
+  x) exclude="$OPTARG" ;;
+  t) imgList="$OPTARG" ;;
+  *) usage; exit 1 ;;
+  esac
+done
+
+if [ -z "$logger" ]; then
+  logger="${myname}.log"
+fi
+
+# Load output formating
+. ./output_lib.sh
+
+yell_info
+
+# Warn if not root
+ID=$(id -u)
+if [ "x$ID" != "x0" ]; then
+  warn "Some tests might require root to run"
+  sleep 3
+fi
+
+# Total Score
+# Warn Scored -1, Pass Scored +1, Not Score -0
+
+totalChecks=0
+currentScore=0
+
+logit "Initializing $(date)\n"
+beginjson "$version" "$(date +%s)"
+
+# Load all the tests from tests/ and run them
+main () {
+  # If there is a container with label docker_bench_security, memorize it:
+  benchcont="nil"
+  for c in $(docker ps | sed '1d' | awk '{print $NF}'); do
+    if docker inspect --format '{{ .Config.Labels }}' "$c" | \
+     grep -e 'docker.bench.security' >/dev/null 2>&1; then
+      benchcont="$c"
+    fi
+  done
+
+  if [ -n "$include" ]; then
+    pattern=$(echo "$include" | sed 's/,/|/g')
+    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
+  elif [ -n "$exclude" ]; then
+    pattern=$(echo "$exclude" | sed 's/,/|/g')
+    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
+  else
+    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
+  fi
+
+  if [ -z "$containers" ]; then
+    running_containers=0
+  else
+    running_containers=1
+  fi
+
+  for test in tests/*.sh; do
+    . ./"$test"
+  done
+
+  if [ -z "$check" ] && [ ! "$checkexclude" ]; then
+    cis
+  elif [ -z "$check" ] && [ "$checkexclude" ]; then
+    checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"
+    for c in $(grep 'check_[0-9]' functions_lib.sh | grep -vE "$checkexcluded"); do
+      "$c"
+    done
+  else
+    for i in $(echo "$check" | sed "s/,/ /g"); do
+      if command -v "$i" 2>/dev/null 1>&2; then
+        "$i"
+      else
+        echo "Check \"$i\" doesn't seem to exist."
+        continue
+      fi
+    done
+  fi
+
+  printf "\n"
+  info "Checks: $totalChecks"
+  info "Score: $currentScore"
+
+  endjson "$totalChecks" "$currentScore" "$(date +%s)"
+}
+
+main "$@"