FEA406 Test Case
Test Case description | Harden all the containers. |
Test Case ID | FEA406-TC01 |
Author/Designer | SEC |
Date of creation | 18.4.2024 |
Class | functional |
Test description / objective
Harden all the containers.
Links to requirements or other sources
- Requirements: FUNC-REQ-C0022
- User story: US056
Test Description
To verify that Docker containers have been appropriately hardened, with specific checks for running as a non-root user, no additional capabilities, prevention of privilege escalation, and adherence to memory and CPU usage limits.
Test pre-state
All Docker containers should be deployed with the latest configuration and running before the test begins.
Test steps
Confirm Non-Root User
- Action: Inspect the running container to verify that it is running as a non-root user.
- Expected Result: The container is running with a user ID other than 0.
Verify Dropped Capabilities
- Action: Execute a diagnostic tool or command to list the current capabilities of a running container.
- Expected Result: The container should have no additional capabilities beyond the default minimum.
Check for Privilege Escalation Prevention
- Action: Attempt to acquire new privileges within the container.
- Expected Result: The operation is blocked and privileges cannot be escalated.
Assess Memory and CPU Limits
- Action: Monitor resource usage under load to ensure it does not exceed configured limits.
- Expected Result: The container respects the memory and CPU limits set in the docker-compose file.
Test end-state
The Docker containers maintain their hardened state with all security measures verified and no unexpected behaviors observed.
To be taken into account during test
Ensure the environment matches the intended production setup to accurately reflect operational conditions.
Test result (Pass/Fail Criteria)
-
PASS condition: All containers meet the hardening criteria with no deviations from expected behavior.
-
FAIL condition:
Any container runs as root, gains new capabilities, can escalate privileges, or exceeds resource limits.