FEA406 Test Case


Test Case description	Harden all the containers.
Test Case ID	FEA406-TC01
Author/Designer	SEC
Date of creation	18.4.2024
Class	functional

Test description / objective

Harden all the containers.

Links to requirements or other sources

Requirements: FUNC-REQ-C0022
User story: US056

Test Description

To verify that Docker containers have been appropriately hardened, with specific checks for running as a non-root user, no additional capabilities, prevention of privilege escalation, and adherence to memory and CPU usage limits.

Test pre-state

All Docker containers should be deployed with the latest configuration and running before the test begins.

Test steps

Confirm Non-Root User

Action: Inspect the running container to verify that it is running as a non-root user.
Expected Result: The container is running with a user ID other than 0.

Verify Dropped Capabilities

Action: Execute a diagnostic tool or command to list the current capabilities of a running container.
Expected Result: The container should have no additional capabilities beyond the default minimum.

Check for Privilege Escalation Prevention

Action: Attempt to acquire new privileges within the container.
Expected Result: The operation is blocked and privileges cannot be escalated.

Assess Memory and CPU Limits

Action: Monitor resource usage under load to ensure it does not exceed configured limits.
Expected Result: The container respects the memory and CPU limits set in the docker-compose file.

Test end-state

The Docker containers maintain their hardened state with all security measures verified and no unexpected behaviors observed.

To be taken into account during test

Ensure the environment matches the intended production setup to accurately reflect operational conditions.

Test result (Pass/Fail Criteria)

PASS condition: All containers meet the hardening criteria with no deviations from expected behavior.
FAIL condition:
Any container runs as root, gains new capabilities, can escalate privileges, or exceeds resource limits.