ISS CW4 - To Complete

# ISS CW4 - To Complete ## Image Stripping - [x] Clean up & harden database dockerfile (Image Stripping) - [x] Clean up & harden webserver dockerfile (Image Stripping) - [x] Clean up / lock down web files & look at persistance (Image Stripping). - [x] Clean up / lock down database files & look at persistance (Image Stripping). - [ ] Statically compile / unlink libraries from binaries (Image Stripping) ### Only managed to cut down capabilities to: - webserver: - `CHOWN` - `SETUID` - `SETGID` - dbserver - `DAC_OVERRIDE` - `SETUID` - `SETGID` ## Seccomp - [x] Compile SECCOMP profiles and block restricted syscalls. - [x] Look at clone to see if it can be blocked on nginx (Seccomp) - [x] Look at gating syscalls to capabilities (Seccomp) - [x] Group and comment sets of syscalls for scalability / maintainability (Seccomp) ## SE Linux - [x] Write one-off configuration command README (Mostly SELinux) - [x] Compile the one-off commands for SELinux. - [x] Compile run-time commands (every time run). - [x] Create a restrictive `.te` SELinux Policy. (MAIN TASK) - [x] dbserver - [x] webserver - [ ] Restrict Volumes. - [x] Drop all CAPS, overlap with image stripping so do this after that. ## Group - [x] Figure out set of test case interactions - Important to do before restrictions so we know when we apply them everything is working (Group) - [ ] Determine and write README of runtime commands needed to build images and then run containers off images (Group) - [x] Write every time run script (Group) - [ ] Write run README (Group) - [x] Write build script and build README (Group) - [ ] Comment All Files (Group) - [ ] Write report (Group) - [ ] Section 1 - [ ] Section 2 - [ ] Section 3 - [ ] Section 4 - [ ] References - [ ] Ensure submitted structure matches what Peter is expecting (Group) - [ ] Scripts: - [ ] build-script.sh - [ ] build-README - [X] one-off-run-config-script.sh - [ ] repeated-run-script.sh - [ ] run-README ![](https://i.imgur.com/tD4m0j1.png) - [ ] Hash files and submit on Tabula (Group) - [ ] ~~Push docker images to Peter's repo (Group)~~ ## Individual - [ ] "Deep insight and associated application to the problem that goes beyond the material taught in the module" - If we want to get a first (Individual)