Comments (4)
-
PWNME - can we make it such that we know we were successful? Maybe can it iterate until it succeeds?
No, problem is that we need to test it first in Enforcing (Where the attack is not sucessful) because container and host became useless after attack. -
runcescape - this is quite slow - is it possible to speed it up somehow? maybe by prebaking the container?
Probably not, container needs to be recreated, beacause of type of attack. -
also - in the script there is docker used and dnf. That does not compute for me :) docker is RHEL7 tool, dnf rhel8.
This demo is based on Fedora (because I was not able to get vulnerable version of docker for RHEL.) -
DNS record is slightly different (cat /etc/hosts), there are no IP adressess
On what system? in selinux1 I see this:
[root@selinux1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 selinux2.example.com selinux2 selinux3.example.com selinux3 selinux5.example.com selinux5
-
I recommend changing combo "ssh ; getenforce; exit" to ssh getenforce. It will save some time for the attendees
This is good point, I'll fix that, but hmm maybe it will be confusing for attendees. I'll send PR. Then we can discuss it with Lucy -
also, when I did the lab, I got tired of typing / updating those curl commandlines. Maybe I would prefer if the lab used bash expansion for these. Like curl selinux{2,3,5}{,:7070} - is it slightly magical? Maybe. But it will save a lot of time, and you can compare outcomes right away, instead of doing the same operation six times with slightly different outcomes.
Good point, I'll fix that. -
2.3.3.1 is messy - in the paragraph above, you say we will use selinux2, and then you still touch all machines?
Add fixes. -
during 2.4.2, when your example says there are permission denied, I have got none - it worked right away. Thus 2.4.2.{3,4,5} were not needed.
Are you sure that you provided all the steps? I tested and it worked for me.
from securitydemos.
DNS record is slightly different (cat /etc/hosts), there are no IP adressess
On what system? in selinux1 I see this:
Yes, this is what I saw in the DNS records as well - in lab track, there are numeric IP addresses.
during 2.4.2, when your example says there are permission denied, I have got none - it worked right away. Thus 2.4.2.{3,4,5} were not needed.
Are you sure that you provided all the steps? I tested and it worked for me.
I don't know :( If it worked for you, I have probably forgot to switch on enforcing or something :)
from securitydemos.
I'll try it again
from securitydemos.
@lkerner, PR merged with
96d8a4b
from securitydemos.
Related Issues (20)
- Lab 2 - step 2.1 - only one pod is shown
- Lab 2 - step 8 - repeated text
- Lab 2 - Projects a,b & c are not explained HOT 1
- Lab 1 - No default network policies found HOT 1
- Lab 3 - first curl command has different response HOT 2
- Lab 3 - incorrect text HOT 1
- Lab 3 - further explanation on webhooks and adminssion hooks HOT 2
- Lab 4 (old) - Jenkins pipeline error HOT 1
- Lab 5 - step 2 - Cluster admin user HOT 1
- [2020Labs/OpenShiftSecurity] got 0 errors in the sonarqube ecommerce app HOT 1
- [2020Labs/OpenShiftSecurity] My nexus doesn't have any maven-snapshot HOT 2
- [2020Labs/OpenShiftSecurity] point 11 in lab4.5 needs to be clarified HOT 1
- [2020Labs/OpenShiftSecurity] lab5 Lab Exercise Requirements HOT 3
- Lab 4 - Enhancement - Use Nexus Operator
- Lab 4 - Enhancement - Add secrets management for the labs HOT 1
- Lab 2 - No default policies found HOT 1
- Add the lab docs into the Gogs repository server
- Lab 4 - Following bonus steps to fix vulnerability results in failed pipeline HOT 4
- Lab 3 - OCP project is missing: rbac-lab HOT 3
- Lab 4 - OCP project is missing: ocp-workshop HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from securitydemos.