scruffyscarf · scruffyscarf · Oct 13, 2025
diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt
@@ -0,0 +1,36 @@
+=== Functionality Test ===
+Default: HTTP 200
+Hardened: HTTP 200
+Production: HTTP 200
+
+=== Resource Usage ===
+NAME               CPU %     MEM USAGE / LIMIT     MEM %
+juice-default      2.21%     173.2MiB / 3.827GiB   4.42%
+juice-hardened     0.53%     109.7MiB / 512MiB     21.42%
+juice-production   0.45%     98.17MiB / 512MiB     19.17%
+
+=== Security Configurations ===
+
+Container: juice-default
+CapDrop: <no value>
+SecurityOpt: <no value>
+Memory: 3.827GiB
+CPU: 2.21%
+PIDs: <no value>
+Restart: no
+
+Container: juice-hardened
+CapDrop: [ALL]
+SecurityOpt: [no-new-privileges]
+Memory: 512MiB
+CPU: 0.53%
+PIDs: <no value>
+Restart: no
+
+Container: juice-production
+CapDrop: [ALL]
+SecurityOpt: [no-new-privileges seccomp=default]
+Memory: 512MiB
+CPU: 0.45%
+PIDs: 100
+Restart: on-failure
diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt
@@ -0,0 +1,165 @@
+# ------------------------------------------------------------------------------
+# Docker Bench for Security v1.3.4
+#
+# Docker, Inc. (c) 2015-
+#
+# Checks for dozens of common best-practices around deploying Docker containers in production.
+# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
+# ------------------------------------------------------------------------------
+
+Initializing Sun Oct 12 15:03:42 UTC 2025
+
+
+[INFO] 1 - Host Configuration
+[WARN] 1.1  - Ensure a separate partition for containers has been created
+[NOTE] 1.2  - Ensure the container host has been Hardened
+[PASS] 1.3  - Ensure Docker is up to date
+[INFO]      * Using 27.4.0 which is current
+[INFO]      * Check with your operating system vendor for support and security maintenance for Docker
+[INFO] 1.4  - Ensure only trusted users are allowed to control Docker daemon
+[INFO]      * docker:x:101
+[WARN] 1.5  - Ensure auditing is configured for the Docker daemon
+[INFO] 1.6  - Ensure auditing is configured for Docker files and directories - /var/lib/docker
+[INFO]      * Directory not found
+[INFO] 1.7  - Ensure auditing is configured for Docker files and directories - /etc/docker
+[INFO]      * Directory not found
+[INFO] 1.8  - Ensure auditing is configured for Docker files and directories - docker.service
+[INFO]      * File not found
+[INFO] 1.9  - Ensure auditing is configured for Docker files and directories - docker.socket
+[INFO]      * File not found
+[INFO] 1.10  - Ensure auditing is configured for Docker files and directories - /etc/default/docker
+[INFO]      * File not found
+[INFO] 1.11  - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json
+[INFO]      * File not found
+[INFO] 1.12  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd
+[INFO]      * File not found
+[INFO] 1.13  - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc
+[INFO]      * File not found
+
+
+[INFO] 2 - Docker daemon configuration
+[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
+[PASS] 2.2  - Ensure the logging level is set to 'info'
+[PASS] 2.3  - Ensure Docker is allowed to make changes to iptables
+[PASS] 2.4  - Ensure insecure registries are not used
+[PASS] 2.5  - Ensure aufs storage driver is not used
+[WARN] 2.6  - Ensure TLS authentication for Docker daemon is configured
+[WARN]      * Docker daemon currently listening on TCP without TLS
+[INFO] 2.7  - Ensure the default ulimit is configured appropriately
+[INFO]      * Default ulimit doesn't appear to be set
+[WARN] 2.8  - Enable user namespace support
+[PASS] 2.9  - Ensure the default cgroup usage has been confirmed
+[PASS] 2.10  - Ensure base device size is not changed until needed
+[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
+[WARN] 2.12  - Ensure centralized and remote logging is configured
+[INFO] 2.13  - Ensure operations on legacy registry (v1) are Disabled (Deprecated)
+[WARN] 2.14  - Ensure live restore is Enabled
+[WARN] 2.15  - Ensure Userland Proxy is Disabled
+[INFO] 2.16  - Ensure daemon-wide custom seccomp profile is applied, if needed
+[PASS] 2.17  - Ensure experimental features are avoided in production
+[WARN] 2.18  - Ensure containers are restricted from acquiring new privileges
+
+
+[INFO] 3 - Docker daemon configuration files
+[INFO] 3.1  - Ensure that docker.service file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.2  - Ensure that docker.service file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[INFO] 3.3  - Ensure that docker.socket file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.4  - Ensure that docker.socket file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[INFO] 3.5  - Ensure that /etc/docker directory ownership is set to root:root
+[INFO]      * Directory not found
+[INFO] 3.6  - Ensure that /etc/docker directory permissions are set to 755 or more restrictive
+[INFO]      * Directory not found
+[INFO] 3.7  - Ensure that registry certificate file ownership is set to root:root
+[INFO]      * Directory not found
+[INFO] 3.8  - Ensure that registry certificate file permissions are set to 444 or more restrictive
+[INFO]      * Directory not found
+[INFO] 3.9  - Ensure that TLS CA certificate file ownership is set to root:root
+[INFO]      * No TLS CA certificate found
+[INFO] 3.10  - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive
+[INFO]      * No TLS CA certificate found
+[INFO] 3.11  - Ensure that Docker server certificate file ownership is set to root:root
+[INFO]      * No TLS Server certificate found
+[INFO] 3.12  - Ensure that Docker server certificate file permissions are set to 444 or more restrictive
+[INFO]      * No TLS Server certificate found
+[INFO] 3.13  - Ensure that Docker server certificate key file ownership is set to root:root
+[INFO]      * No TLS Key found
+[INFO] 3.14  - Ensure that Docker server certificate key file permissions are set to 400
+[INFO]      * No TLS Key found
+[WARN] 3.15  - Ensure that Docker socket file ownership is set to root:docker
+[WARN]      * Wrong ownership for /var/run/docker.sock
+[PASS] 3.16  - Ensure that Docker socket file permissions are set to 660 or more restrictive
+[INFO] 3.17  - Ensure that daemon.json file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.18  - Ensure that daemon.json file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+[INFO] 3.19  - Ensure that /etc/default/docker file ownership is set to root:root
+[INFO]      * File not found
+[INFO] 3.20  - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive
+[INFO]      * File not found
+
+
+[INFO] 4 - Container Images and Build File
+[INFO] 4.1  - Ensure a user for the container has been created
+[INFO]      * No containers running
+[NOTE] 4.2  - Ensure that containers use trusted base images
+[NOTE] 4.3  - Ensure unnecessary packages are not installed in the container
+[NOTE] 4.4  - Ensure images are scanned and rebuilt to include security patches
+[WARN] 4.5  - Ensure Content trust for Docker is Enabled
+[WARN] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image
+[WARN]      * No Healthcheck found: [snyk/snyk:docker]
+[WARN]      * No Healthcheck found: [bridgecrew/checkov:latest]
+[WARN]      * No Healthcheck found: [checkmarx/kics:latest]
+[WARN]      * No Healthcheck found: [bkimminich/juice-shop:v19.0.0]
+[WARN]      * No Healthcheck found: [sh3b0/renderer:v2]
+[WARN]      * No Healthcheck found: [nginx:alpine]
+[WARN]      * No Healthcheck found: [aquasec/tfsec:latest]
+[WARN]      * No Healthcheck found: [goodwithtech/dockle:latest]
+[WARN]      * No Healthcheck found: [tenable/terrascan:latest]
+[INFO] 4.7  - Ensure update instructions are not use alone in the Dockerfile
+[INFO]      * Update instruction found: [snyk/snyk:docker]
+[INFO]      * Update instruction found: [bridgecrew/checkov:latest]
+[INFO]      * Update instruction found: [checkmarx/kics:latest]
+[INFO]      * Update instruction found: [sh3b0/renderer:v2]
+[INFO]      * Update instruction found: [sh3b0/terminal:v2]
+[NOTE] 4.8  - Ensure setuid and setgid permissions are removed in the images
+[INFO] 4.9  - Ensure COPY is used instead of ADD in Dockerfile
+[INFO]      * ADD in image history: [snyk/snyk:docker]
+[INFO]      * ADD in image history: [sh3b0/terminal:v2]
+[INFO]      * ADD in image history: [nginx:alpine]
+[INFO]      * ADD in image history: [aquasec/tfsec:latest]
+[INFO]      * ADD in image history: [goodwithtech/dockle:latest]
+[INFO]      * ADD in image history: [docker/docker-bench-security:latest]
+[NOTE] 4.10  - Ensure secrets are not stored in Dockerfiles
+[NOTE] 4.11  - Ensure verified packages are only Installed
+
+
+[INFO] 5 - Container Runtime
+[INFO]      * No containers running, skipping Section 5
+
+
+[INFO] 6 - Docker Security Operations
+[INFO] 6.1  - Avoid image sprawl
+[INFO]      * There are currently: 11 images
+[INFO]      * Only 1 out of 11 are in use
+[INFO] 6.2  - Avoid container sprawl
+[INFO]      * There are currently a total of 1 containers, with 1 of them currently running
+
+
+[INFO] 7 - Docker Swarm Configuration
+[PASS] 7.1  - Ensure swarm mode is not Enabled, if not needed
+[PASS] 7.2  - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled)
+[PASS] 7.3  - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled)
+[PASS] 7.4  - Ensure data exchanged between containers are encrypted on different nodes on the overlay network
+[PASS] 7.5  - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled)
+[PASS] 7.6  - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled)
+[PASS] 7.7  - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled)
+[PASS] 7.8  - Ensure node certificates are rotated as appropriate (Swarm mode not enabled)
+[PASS] 7.9  - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled)
+[PASS] 7.10  - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled)
+
+[INFO] Checks: 74
+[INFO] Score: 5
diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt
@@ -0,0 +1,9 @@
+SKIP    - DKL-LI-0001: Avoid empty password
+        * failed to detect etc/shadow,etc/master.passwd
+INFO    - CIS-DI-0005: Enable Content trust for Docker
+        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
+INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
+        * not found HEALTHCHECK statement
+INFO    - DKL-LI-0003: Only put necessary files
+        * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store 
+        * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store