diff --color -ruN hybrid/sandbox/docker-compose.yml hardened/sandbox/docker-compose.yml --- hybrid/sandbox/docker-compose.yml 2025-05-18 15:04:00.800680098 +0200 +++ hardened/sandbox/docker-compose.yml 2025-05-19 17:33:43.963243018 +0200 @@ -14,6 +14,15 @@ - 80 extra_hosts: - "postgres:172.18.0.1" + deploy: + resources: + limits: + memory: 256M + cpus: '0.25' + pids: 100 + reservations: + memory: 128M + cpus: '0.10' gitea: image: docker.gitea.com/gitea:latest @@ -39,15 +48,20 @@ - 22 extra_hosts: - "postgres:172.18.0.1" - - vulnerable: - build: /vagrant/sandbox/vuln - ports: - - 2222:22 - networks: - - internal - extra_hosts: - - "postgres:172.18.0.1" + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"] + interval: 1m30s + timeout: 10s + retries: 3 + deploy: + resources: + limits: + memory: 512M + cpus: '0.50' + pids: 100 + reservations: + memory: 256M + cpus: '0.25' nginx: image: nginx:latest @@ -59,8 +73,22 @@ - ./nginx.conf:/etc/nginx/conf.d/default.conf - ./nginx/certs:/etc/nginx/certs ports: - - 80:80 - - 443:443 + - 0.0.0.0:80:80 + - 0.0.0.0:443:443 + deploy: + resources: + limits: + memory: 128M + cpus: '0.25' + pids: 100 + reservations: + memory: 64M + cpus: '0.10' + read_only: true + tmpfs: + - /tmp + - /run + - /var/cache/nginx networks: internal: diff --color -ruN hybrid/sandbox/playbook.yml hardened/sandbox/playbook.yml --- hybrid/sandbox/playbook.yml 2025-05-17 15:34:46.781062066 +0200 +++ hardened/sandbox/playbook.yml 2025-05-19 18:21:22.570964238 +0200 @@ -20,9 +20,10 @@ - acl - bc - sysstat + - auditd state: latest update_cache: true - + - name: Copy nginx conf copy: src: /vagrant/sandbox/nginx.conf @@ -209,6 +210,63 @@ state: present notify: Restart PostgreSQL + - name: Configure audit rules for Docker + copy: + dest: /etc/audit/rules.d/docker.rules + owner: root + group: root + mode: '0640' + content: | + -w /usr/bin/dockerd -k docker + -w /run/containerd -k docker + -w /var/lib/docker -k docker + -w /etc/docker -k docker + -w /lib/systemd/system/docker.service -k docker + -w /run/containerd/containerd.sock -k docker + -w /var/run/docker.sock -k docker + -w /etc/default/docker -k docker + -w /etc/docker/daemon.json -k docker + -w /etc/containerd/config.toml -k docker + -w /etc/sysconfig/docker -k docker + -w /usr/bin/containerd -k docker + -w /usr/bin/containerd-shim -k docker + -w /usr/bin/containerd-shim-runc-v1 -k docker + -w /usr/bin/containerd-shim-runc-v2 -k docker + -w /usr/bin/runc -k docker + -w /usr/lib/systemd/system/docker.socket -k docker + -w /usr/bin/containerd -k docker + -w /usr/bin/containerd-shim -k docker + -w /usr/bin/containerd-shim-runc-v1 -k docker + -w /usr/bin/containerd-shim-runc-v2 -k docker + -w /usr/bin/runc -k docker + + - name: Restart auditd to apply new rules + service: + name: auditd + state: restarted + enabled: yes + + - name: Ensure Docker daemon configuration is hardened + copy: + dest: /etc/docker/daemon.json + owner: root + group: root + mode: '0644' + content: | + { + "live-restore": true, + "icc": false, + "no-new-privileges": true, + "log-level": "info", + "log-driver": "json-file", + "log-opts": { + "max-size": "10m", + "max-file": "3" + }, + "userland-proxy": false + } + notify: Restart Docker + - name: Ensure Docker service is running service: name: docker @@ -220,10 +278,15 @@ args: chdir: /home/vagrant - handlers: - name: Restart PostgreSQL become: yes service: name: postgresql + state: restarted + + - name: Restart Docker + become: yes + systemd: + name: docker state: restarted \ No newline at end of file