WIP 3 LXC hardening

_posts/2017-08-22-hardening-lxc-containers.md

@@ -4,7 +4,7 @@ slug: hardening-lxc-containers-running-systemd
 status: draft
 sitemap: true
 title: Hardening LXC containers running systemd
-description: Especially with systemd in the equation
+description: An epic trying to drop CAP\_SYS\_ADMIN
 disqus: false
 categories:
 tags:
@@ -15,10 +15,9 @@ tags:
 
 ![A real container](/assets/images/posts/harden-container.jpg)
 <div style="font-size: 12px; text-align:center; margin-top:-20px">
-*By [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). License CC BY-NC-ND 2.0*
+*A container. Photo by [Mr. Rollers](https://www.flickr.com/photos/mr-rollers/32972266123/). CC BY-NC-ND 2.0*
 </div>
 
-
 Hardening Linux Containers, and more especially [LXC containers](https://linuxcontainers.org/fr/lxc/introduction/), is needed to prevent a malicious user to escape your container. But before starting, we need to understand how containers work under the hood.
 
 As said by Jessie Frazelle in her blog post [Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs](https://blog.jessfraz.com/post/containers-zones-jails-vms/), containers in Linux are not a top level design like Zone in Solaris and Jails in BSD.
@@ -35,7 +34,7 @@ If you feel a bit lost with all these terms, a good start is the reading of this
 
 ![A factory](/assets/images/posts/harden-factory.jpg)
 <div style="font-size: 12px; text-align:center; margin-top:-20px">
-*By [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). License CC BY-SA 2.0*
+*A factory building containers ? Photo by [Thomas Berg](https://www.flickr.com/photos/decafinata/1989725289/). CC BY-SA 2.0*
 </div>
 
 Before starting, you'll need a very recent version of LXC, at least lxc-2.0.9 (not yet released as of this writing). Fortunately, you can compile it from its master branch. We'll see later why we need a such recent version.
@@ -64,8 +63,20 @@ sudo lxc-start -n harden -lDEBUG -F
 
 It will launch your container in foreground (so you'll be able to see systemd logs at boot) and it will log many useful informations in the `/var/log/lxc/harden.log` file.
 
+## Capabilities: split the root
+
+![Puzzle](/assets/images/posts/harden-puzzle.jpg)
+<div style="font-size: 12px; text-align:center; margin-top:-20px">
+*The great puzzle of root. Photo by [Kevin Dooley](https://www.flickr.com/photos/pagedooley/14555354976). CC BY 2.0.*
+</div>
+
 ## cgroups: group your processes
 
+![Lions](/assets/images/posts/harden-lions.jpg)
+<div style="font-size: 12px; text-align:center; margin-top:-20px">
+*A cgroup of lions with parents and children. Photo by [Joel Herzog](https://unsplash.com/@joel_herzog). Unsplash license.*
+</div>
+
 [Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
 
 > cgroups is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes.
@@ -87,12 +98,22 @@ Michael Kerrisk wrote an interesting [serie of articles about namespaces](https:
 
 At first glance, namespaces handle could appear trivial in LXC: every available namespaces are used and that's all.
 
-## Seccomp
+## Seccomp: filter your syscalls
 
-## Capabilities: split the root
+![Barriers](/assets/images/posts/harden-barrier.jpg)
+<div style="font-size: 12px; text-align:center; margin-top:-20px">
+*The seccomp barrier protects the access to the kernel. Photo by [Mike Wilson](https://unsplash.com/@mkwlsn). Unsplash license.*
+</div>
 
-## Linux Security Modules (LSM)
+## LSM: mandatory access control
+
+![Top Secret](/assets/images/posts/harden-secret.jpg)
+<div style="font-size: 12px; text-align:center; margin-top:-20px">
+*Back to the origin. Photo by [Michelangelo Carrieri](https://www.flickr.com/photos/malakhkelevra/4951863053). CC BY-ND 2.0*
+</div>
 
 ## Other
 
-prlimit
+### prlimit
+
+### /dev