nanopenguin/bachelor-thesis
Archived
1
0
Fork 0
Code Actions
This repository has been archived on 2025-09-29. You can view files and clone it, but cannot push or open issues or pull requests.
bachelor-thesis/webserver/hardened.patch
Benedikt Galbavy a14b7dc0df asdfgh
2025-05-20 00:43:52 +02:00

172 lines
4.5 KiB
Diff
Raw Permalink Blame History

diff --color -ruN hybrid/sandbox/docker-compose.yml hardened/sandbox/docker-compose.yml
--- hybrid/sandbox/docker-compose.yml 2025-05-18 15:04:00.800680098 +0200
+++ hardened/sandbox/docker-compose.yml 2025-05-19 17:33:43.963243018 +0200
@@ -14,6 +14,15 @@
- 80
extra_hosts:
- "postgres:172.18.0.1"
+ deploy:
+ resources:
+ limits:
+ memory: 256M
+ cpus: '0.25'
+ pids: 100
+ reservations:
+ memory: 128M
+ cpus: '0.10'
gitea:
image: docker.gitea.com/gitea:latest
@@ -39,15 +48,20 @@
- 22
extra_hosts:
- "postgres:172.18.0.1"
-
- vulnerable:
- build: /vagrant/sandbox/vuln
- ports:
- - 2222:22
- networks:
- - internal
- extra_hosts:
- - "postgres:172.18.0.1"
+ healthcheck:
+ test: ["CMD", "curl", "-f", "http://localhost:3000/api/healthz"]
+ interval: 1m30s
+ timeout: 10s
+ retries: 3
+ deploy:
+ resources:
+ limits:
+ memory: 512M
+ cpus: '0.50'
+ pids: 100
+ reservations:
+ memory: 256M
+ cpus: '0.25'
nginx:
image: nginx:latest
@@ -59,8 +73,22 @@
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./nginx/certs:/etc/nginx/certs
ports:
- - 80:80
- - 443:443
+ - 0.0.0.0:80:80
+ - 0.0.0.0:443:443
+ deploy:
+ resources:
+ limits:
+ memory: 128M
+ cpus: '0.25'
+ pids: 100
+ reservations:
+ memory: 64M
+ cpus: '0.10'
+ read_only: true
+ tmpfs:
+ - /tmp
+ - /run
+ - /var/cache/nginx
networks:
internal:
diff --color -ruN hybrid/sandbox/playbook.yml hardened/sandbox/playbook.yml
--- hybrid/sandbox/playbook.yml 2025-05-17 15:34:46.781062066 +0200
+++ hardened/sandbox/playbook.yml 2025-05-19 18:21:22.570964238 +0200
@@ -20,9 +20,10 @@
- acl
- bc
- sysstat
+ - auditd
state: latest
update_cache: true
-
+
- name: Copy nginx conf
copy:
src: /vagrant/sandbox/nginx.conf
@@ -209,6 +210,63 @@
state: present
notify: Restart PostgreSQL
+ - name: Configure audit rules for Docker
+ copy:
+ dest: /etc/audit/rules.d/docker.rules
+ owner: root
+ group: root
+ mode: '0640'
+ content: |
+ -w /usr/bin/dockerd -k docker
+ -w /run/containerd -k docker
+ -w /var/lib/docker -k docker
+ -w /etc/docker -k docker
+ -w /lib/systemd/system/docker.service -k docker
+ -w /run/containerd/containerd.sock -k docker
+ -w /var/run/docker.sock -k docker
+ -w /etc/default/docker -k docker
+ -w /etc/docker/daemon.json -k docker
+ -w /etc/containerd/config.toml -k docker
+ -w /etc/sysconfig/docker -k docker
+ -w /usr/bin/containerd -k docker
+ -w /usr/bin/containerd-shim -k docker
+ -w /usr/bin/containerd-shim-runc-v1 -k docker
+ -w /usr/bin/containerd-shim-runc-v2 -k docker
+ -w /usr/bin/runc -k docker
+ -w /usr/lib/systemd/system/docker.socket -k docker
+ -w /usr/bin/containerd -k docker
+ -w /usr/bin/containerd-shim -k docker
+ -w /usr/bin/containerd-shim-runc-v1 -k docker
+ -w /usr/bin/containerd-shim-runc-v2 -k docker
+ -w /usr/bin/runc -k docker
+
+ - name: Restart auditd to apply new rules
+ service:
+ name: auditd
+ state: restarted
+ enabled: yes
+
+ - name: Ensure Docker daemon configuration is hardened
+ copy:
+ dest: /etc/docker/daemon.json
+ owner: root
+ group: root
+ mode: '0644'
+ content: |
+ {
+ "live-restore": true,
+ "icc": false,
+ "no-new-privileges": true,
+ "log-level": "info",
+ "log-driver": "json-file",
+ "log-opts": {
+ "max-size": "10m",
+ "max-file": "3"
+ },
+ "userland-proxy": false
+ }
+ notify: Restart Docker
+
- name: Ensure Docker service is running
service:
name: docker
@@ -220,10 +278,15 @@
args:
chdir: /home/vagrant
-
handlers:
- name: Restart PostgreSQL
become: yes
service:
name: postgresql
+ state: restarted
+
+ - name: Restart Docker
+ become: yes
+ systemd:
+ name: docker
state: restarted
\ No newline at end of file
View Git Blame Copy Permalink