-
Notifications
You must be signed in to change notification settings - Fork 0
feat(course): Hands-on Docker Hacking — editorial draft #3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| /.venv | ||
| /.env | ||
| /dist | ||
| /build | ||
| /out | ||
| /target | ||
| /node_modules | ||
| /.DS_Store | ||
| Thumbs.db | ||
| *.pyc | ||
| *.swp | ||
| /.idea | ||
| /.vscode |
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,24 @@ | ||||||||||||||||||||||||||||||
| # Hands-on Docker Hacking | ||||||||||||||||||||||||||||||
| _summary for editorial board_ | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| ## Modules | ||||||||||||||||||||||||||||||
| 1. Privileged Container | ||||||||||||||||||||||||||||||
| 2. Exposed Container APIs | ||||||||||||||||||||||||||||||
| 3. Container Escape | ||||||||||||||||||||||||||||||
| 4. Container Image Tampering | ||||||||||||||||||||||||||||||
| 5. Insecure Container Configuration | ||||||||||||||||||||||||||||||
| 6. Denial-of-Service (DoS) | ||||||||||||||||||||||||||||||
| 7. Kernel Vulnerabilities | ||||||||||||||||||||||||||||||
| 8. Shared Kernel Exploitation | ||||||||||||||||||||||||||||||
| 9. Insecure Container Orchestration | ||||||||||||||||||||||||||||||
| 10. Insecure Container Images | ||||||||||||||||||||||||||||||
| 11. What Seccomp, AppArmor, and SELinux Actually Do | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| ## Deliverables included | ||||||||||||||||||||||||||||||
| - `course/modules/` � one markdown module per topic with lab steps | ||||||||||||||||||||||||||||||
| - `course/quizzes/` � module and final assessments | ||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The PR description mentions 22 quiz files (11 module + 11 final), but only 20 are present in the repository. Module 1 (Privileged Container) is missing both its regular quiz (
Comment on lines
+18
to
+19
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||||||||||||||||||||||||||||||
| - `README` update for GitHub course homepage | ||||||||||||||||||||||||||||||
|
Comment on lines
+18
to
+20
|
||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| ## Format notes | ||||||||||||||||||||||||||||||
| - Each module contains: intro, attack scenario, compliant vs noncompliant example, remediation, and hands-on lab. | ||||||||||||||||||||||||||||||
| - Sample 60�90 second module intro video scripts are embedded where practical. | ||||||||||||||||||||||||||||||
|
Comment on lines
+18
to
+24
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛑 Character Encoding Issue: The em-dashes in lines 18, 19, and 24 are displaying as replacement characters (�) in the diff, indicating a potential encoding corruption. This will cause rendering issues in the final document.
Suggested change
|
||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,25 +1,7 @@ | ||||||||||||||||||
| # Docker Hacking Lab | ||||||||||||||||||
| ### EC-Council | Hands-on Docker Hacking Course | ||||||||||||||||||
| **Author: Adonis Jimenez | BizDevStudio** | ||||||||||||||||||
| Hands-on Docker Hacking course repo. | ||||||||||||||||||
|
|
||||||||||||||||||
|
|
||||||||||||||||||
| > Warning: This lab contains intentional vulnerabilities. Run in an isolated environment only. | ||||||||||||||||||
|
|
||||||||||||||||||
| ## Quick Start | ||||||||||||||||||
| ``` | ||||||||||||||||||
| git clone https://github.com/donny-devops/docker-hacking-lab | ||||||||||||||||||
| cd docker-hacking-lab | ||||||||||||||||||
| docker compose up -d | ||||||||||||||||||
| ``` | ||||||||||||||||||
|
|
||||||||||||||||||
| ## Course Modules | ||||||||||||||||||
| - Module 0: Lab Setup | ||||||||||||||||||
| - Module 1: Docker Internals and Attack Surface | ||||||||||||||||||
| - Module 2: Enumeration and Reconnaissance | ||||||||||||||||||
| - Module 3: Escape via Privileged Flag | ||||||||||||||||||
| - Module 4: Escape via Host Path Mount | ||||||||||||||||||
| - Module 5: Docker Socket Exploitation | ||||||||||||||||||
| - Module 6: TCP Daemon Exploitation | ||||||||||||||||||
| - Module 7: Image and Registry Attacks | ||||||||||||||||||
| - Module 8: Supply Chain Attacks | ||||||||||||||||||
| - Module 9: Network Attacks and Lateral Movement | ||||||||||||||||||
| - Module 10: Runtime Defense | ||||||||||||||||||
| ## Course structure | ||||||||||||||||||
| - `course/modules/` � topic lessons and labs | ||||||||||||||||||
| - `course/quizzes/` � assessment questions | ||||||||||||||||||
| - `COURSE_SUMMARY.md` � editorial board summary | ||||||||||||||||||
|
Comment on lines
+5
to
+7
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Comment on lines
+4
to
+7
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛑 Character Encoding Issue: The em-dashes in lines 5-7 are displaying as replacement characters (�) in the diff, indicating encoding corruption identical to the issue in COURSE_SUMMARY.md. This will cause rendering problems.
Suggested change
Comment on lines
+5
to
+7
|
||||||||||||||||||
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,22 @@ | ||||||||||||||
| # Exposed Container APIs | ||||||||||||||
| Covers Docker daemon socket/API exposure, auth bypass, TLS, and network exposure risks. | ||||||||||||||
|
|
||||||||||||||
| ## Attack scenario | ||||||||||||||
| Exposing `2375/2376` without auth allows remote host takeover. | ||||||||||||||
|
|
||||||||||||||
| ## Noncompliant | ||||||||||||||
| docker run -d -p 2375:2375 docker:dind | ||||||||||||||
|
|
||||||||||||||
| ## Compliant | ||||||||||||||
| docker run -d -p 127.0.0.1:2376:2376 ` | ||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||||||||||||||
| --tlsverify --tlscacert ca.pem --tlscert cert.pem --tlskey key.pem docker:dind | ||||||||||||||
|
Comment on lines
+10
to
+12
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛑 Syntax Error: Unterminated backtick character at the end of line 11 causes a code block formatting error. The command spans multiple lines but lacks proper Markdown formatting.
Suggested change
Comment on lines
+11
to
+12
|
||||||||||||||
|
|
||||||||||||||
| ## Remediation | ||||||||||||||
| - Bind to localhost or VPN only. | ||||||||||||||
| - Enforce TLS client auth on 2376. | ||||||||||||||
| - Firewall-restrict daemon ports. | ||||||||||||||
|
|
||||||||||||||
| ## Hands-on lab | ||||||||||||||
| 1. Inspect Docker socket listeners. | ||||||||||||||
| 2. Confirm remote API auth requirements. | ||||||||||||||
| 3. Harden with TLS/localhost binding. | ||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Container Escape | ||
| Covers breakouts via docker socket, --privileged, host namespaces, and dangerous mounts. | ||
|
|
||
| ## Attack scenario | ||
| A container with /var/run/docker.sock can create privileged sibling containers. | ||
|
|
||
| ## Noncompliant | ||
| docker run -v /var/run/docker.sock:/var/run/docker.sock alpine | ||
|
|
||
| ## Compliant | ||
| docker run --user 1000:1000 --read-only --cap-drop ALL alpine | ||
|
|
||
| ## Remediation | ||
| - Avoid host namespace sharing. | ||
| - Drop capabilities; avoid --privileged. | ||
| - Use rootless Docker where possible. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Run noncompliant container. | ||
| 2. Attempt docker ps inside. | ||
| 3. Harden and verify escape path blocked. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Container Image Tampering | ||
| Covers supply-chain attacks, tag mutation, untrusted registries, and image signing. | ||
|
|
||
| ## Attack scenario | ||
| Attacker pushes backdoored tag to public registry; CI auto-deploys it. | ||
|
|
||
| ## Noncompliant | ||
| docker build -t app:latest . | ||
|
|
||
| ## Compliant | ||
| cosign sign --key cosign.key app@sha256:... | ||
|
|
||
| ## Remediation | ||
| - Pin images by digest. | ||
| - Sign images with cosign/Sigstore. | ||
| - Scan in CI with Trivy/Grype. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Inspect image history/layers. | ||
| 2. Re-pin by digest. | ||
| 3. Verify provenance/signature. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Insecure Container Configuration | ||
| Covers excessive permissions, writable rootfs, dangerous sysctls, and insecure defaults. | ||
|
|
||
| ## Attack scenario | ||
| Root-owned writable rootfs enables cron/kmodule persistence. | ||
|
|
||
| ## Noncompliant | ||
| docker run --cap-add SYS_ADMIN --read-only=false ubuntu | ||
|
|
||
| ## Compliant | ||
| docker run --user 65532:65532 --read-only --tmpfs /tmp ubuntu | ||
|
|
||
| ## Remediation | ||
| - Run as nonroot. | ||
| - Use --read-only with tmpfs. | ||
| - Drop capabilities by default. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Inspect docker inspect config. | ||
| 2. Harden runtime flags. | ||
| 3. Verify no root writable paths. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Denial-of-Service (DoS) | ||
| Covers CPU/memory/PIDs/I/O exhaustion and runtime limits. | ||
|
|
||
| ## Attack scenario | ||
| Fork bomb or memory hog crashes neighboring containers/host. | ||
|
|
||
| ## Noncompliant | ||
| docker run -d --name stress docker-stress | ||
|
|
||
| ## Compliant | ||
| docker run -d --name stress --cpus 0.5 --memory 256m --pids-limit 64 docker-stress | ||
|
|
||
| ## Remediation | ||
| - Set --cpus --memory --pids-limit. | ||
| - Use --restart on-failure:5. | ||
| - Monitor with cAdvisor/Prometheus. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Run stress unconstrained. | ||
| 2. Observe impact. | ||
| 3. Apply limits and compare. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Kernel Vulnerabilities | ||
| Covers host/runtime CVEs, patching cadence, and isolation limitations. | ||
|
|
||
| ## Attack scenario | ||
| Unpatched kernel enables container-to-host privilege escalation. | ||
|
|
||
| ## Noncompliant | ||
| uname -r # old unpatched kernel | ||
|
|
||
| ## Compliant | ||
| sudo apt install linux-generic-hwe-22.04 | ||
|
|
||
| ## Remediation | ||
| - Patch host/runtime on SLA. | ||
| - Minimize host kernel modules. | ||
| - Evaluate gVisor/Kata for stronger isolation. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Check kernel against CVE advisories. | ||
| 2. Review runtime changelog. | ||
| 3. Document upgrade plan. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Shared Kernel Exploitation | ||
| Covers namespace mistakes, /proc exposure, pid=host, and cross-container access. | ||
|
|
||
| ## Attack scenario | ||
| Host PID namespace exposes other containers'/host process data. | ||
|
|
||
| ## Noncompliant | ||
| docker run --pid=host --cap-add SYS_ADMIN alpine | ||
|
|
||
| ## Compliant | ||
| docker run --user nonroot --pid container --cap-drop ALL alpine | ||
|
|
||
| ## Remediation | ||
| - Avoid --pid=host. | ||
| - Use container-scoped PID namespaces. | ||
| - Enable dmesg_restrict. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Run two containers. | ||
| 2. Inspect /proc with/without host PID. | ||
| 3. Harden namespace usage. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Insecure Container Orchestration | ||
| Covers K8s/Compose misconfigs, default SAs, broad RBAC, and exposed APIs. | ||
|
|
||
| ## Attack scenario | ||
| Default SA has secret-read; app bug leaks cluster secrets. | ||
|
|
||
| ## Noncompliant | ||
| serviceAccountName: default | ||
|
|
||
| ## Compliant | ||
| serviceAccountName: app-sa | ||
| automountServiceAccountToken: false | ||
|
|
||
| ## Remediation | ||
| - Dedicated SA per workload. | ||
| - Least-privilege RBAC. | ||
| - Scan configs with Polaris/Kubesec. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Inspect current SA/roles. | ||
| 2. Create restricted SA. | ||
| 3. Update deployment and confirm denial. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Insecure Container Images | ||
| Covers outdated bases, malware images, vulnerable packages, and registry hygiene. | ||
|
|
||
| ## Attack scenario | ||
| Malicious image appears as trusted name; CI builds and deploys it. | ||
|
|
||
| ## Noncompliant | ||
| docker build -t app:latest . | ||
|
|
||
| ## Compliant | ||
| trivy image app@sha256:... | ||
|
|
||
| ## Remediation | ||
| - Pin by digest/provenance. | ||
| - Scan in CI and deploy gate. | ||
| - Trust only approved registries. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Build latest-tagged image. | ||
| 2. Inspect layers/history. | ||
| 3. Rebuild pinned and scan. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # What Seccomp, AppArmor, and SELinux Actually Do | ||
| Covers LSM roles, Docker defaults, custom profiles, and operational pitfalls. | ||
|
|
||
| ## Seccomp | ||
| Restricts syscalls. Docker default blocks ~44 dangerous syscalls. | ||
|
|
||
| ## AppArmor | ||
| Path-based confinement. Uses docker-default on Debian/Ubuntu. | ||
|
|
||
| ## SELinux | ||
| Label-based MAC. Stronger; enabled on RHEL/Fedora. | ||
|
|
||
| ## Noncompliant | ||
| docker run --security-opt seccomp=unconfined ubuntu | ||
|
|
||
| ## Compliant | ||
| docker run --security-opt seccomp=default --security-opt apparmor=docker-default ubuntu | ||
|
|
||
| ## Remediation | ||
| - Keep defaults unless app breaks. | ||
| - Trace syscalls before narrowing. | ||
| - Combine seccomp + AppArmor/SELinux + capabilities. | ||
|
|
||
| ## Hands-on lab | ||
| 1. Inspect container security opts. | ||
| 2. strace app process. | ||
| 3. Build minimal custom seccomp JSON and test. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Final assessment: Container Escape | ||
| ## Questions | ||
| 1. Which option most directly reduces runtime breakout surface? | ||
| A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network | ||
| 2. Which is a reliable signal of insecure images? | ||
| A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base | ||
| ## Answers | ||
| 1. B 2. B |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Quiz: Container Escape | ||
| ## Questions | ||
| 1. Which control is most specific to syscall filtering? | ||
| A) AppArmor B) SELinux C) seccomp D) cgroups | ||
| 2. Exposing Docker API without auth primarily risks: | ||
| A) slower builds B) disk usage C) full host compromise D) image pulls failing | ||
| 3. The strongest container isolation boundary is: | ||
| A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket | ||
|
Comment on lines
+3
to
+8
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛑 Critical Copy-Paste Error: This quiz file contains identical questions to |
||
| ## Answers | ||
| 1. C 2. C 3. C | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Final assessment: Denial-of-Service (DoS) | ||
| ## Questions | ||
| 1. Which option most directly reduces runtime breakout surface? | ||
| A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network | ||
| 2. Which is a reliable signal of insecure images? | ||
| A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base | ||
| ## Answers | ||
| 1. B 2. B | ||
|
Comment on lines
+1
to
+8
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Quiz: Denial-of-Service (DoS) | ||
| ## Questions | ||
| 1. Which control is most specific to syscall filtering? | ||
| A) AppArmor B) SELinux C) seccomp D) cgroups | ||
| 2. Exposing Docker API without auth primarily risks: | ||
| A) slower builds B) disk usage C) full host compromise D) image pulls failing | ||
| 3. The strongest container isolation boundary is: | ||
| A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket | ||
| ## Answers | ||
| 1. C 2. C 3. C | ||
|
Comment on lines
+1
to
+10
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Micro-Learning Topic: Denial of service (Detected by phrase)Matched on "Denial-of-Service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try a challenge in Secure Code Warrior |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Final assessment: Exposed Container APIs | ||
| ## Questions | ||
| 1. Which option most directly reduces runtime breakout surface? | ||
| A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network | ||
| 2. Which is a reliable signal of insecure images? | ||
| A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base | ||
| ## Answers | ||
| 1. B 2. B |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Quiz: Exposed Container APIs | ||
| ## Questions | ||
| 1. Which control is most specific to syscall filtering? | ||
| A) AppArmor B) SELinux C) seccomp D) cgroups | ||
| 2. Exposing Docker API without auth primarily risks: | ||
| A) slower builds B) disk usage C) full host compromise D) image pulls failing | ||
| 3. The strongest container isolation boundary is: | ||
| A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket | ||
|
Comment on lines
+3
to
+8
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🛑 Quiz Content Mismatch: Question 1 asks about syscall filtering controls (AppArmor/SELinux/seccomp) which is LSM content from Module 11, not from the "Exposed Container APIs" module. Question 3 also references generic isolation topics not covered in Module 02. Quiz questions must align with the specific module content. |
||
| ## Answers | ||
| 1. C 2. C 3. C | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Final assessment: Container Image Tampering | ||
| ## Questions | ||
| 1. Which option most directly reduces runtime breakout surface? | ||
| A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network | ||
| 2. Which is a reliable signal of insecure images? | ||
| A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base | ||
| ## Answers | ||
| 1. B 2. B |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Quiz: Container Image Tampering | ||
| ## Questions | ||
| 1. Which control is most specific to syscall filtering? | ||
| A) AppArmor B) SELinux C) seccomp D) cgroups | ||
| 2. Exposing Docker API without auth primarily risks: | ||
| A) slower builds B) disk usage C) full host compromise D) image pulls failing | ||
| 3. The strongest container isolation boundary is: | ||
| A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket | ||
| ## Answers | ||
| 1. C 2. C 3. C |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Final assessment: Insecure Container Configuration | ||
| ## Questions | ||
| 1. Which option most directly reduces runtime breakout surface? | ||
| A) --privileged B) drop caps + seccomp + read-only C) expose 2375 D) host network | ||
| 2. Which is a reliable signal of insecure images? | ||
| A) pinned digest + signed provenance B) latest tag from unknown registry C) small image size D) alpine base | ||
| ## Answers | ||
| 1. B 2. B |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # Quiz: Insecure Container Configuration | ||
| ## Questions | ||
| 1. Which control is most specific to syscall filtering? | ||
| A) AppArmor B) SELinux C) seccomp D) cgroups | ||
| 2. Exposing Docker API without auth primarily risks: | ||
| A) slower builds B) disk usage C) full host compromise D) image pulls failing | ||
| 3. The strongest container isolation boundary is: | ||
| A) shared kernel B) VM parity C) namespace + cgroup + LSM D) Docker socket | ||
| ## Answers | ||
| 1. C 2. C 3. C |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🛑 Critical Missing File: Module 1 "Privileged Container" is listed in the summary but the corresponding file
course/modules/01-privileged-container.mdis missing from the deliverables. The PR description claims modules "01*.md through course/modules/11*.md" are included, but module 01 is absent.