-
-
Notifications
You must be signed in to change notification settings - Fork 352
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add: added the docs and changes the application.properties and wrong-…
…secrets-configuration.yaml
- Loading branch information
1 parent
037bfd9
commit 4812463
Showing
6 changed files
with
66 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
=== Exposed Docker Secrets Challenge | ||
|
||
In this challenge, you will explore the importance of securely managing sensitive information using Docker secrets. Docker secrets are intended to safely transmit and store sensitive data like passwords, API keys, and certificates within Docker services. However, improper handling or misconfigurations can inadvertently expose these secrets, leading to potential security risks. | ||
|
||
*Acme Inc.*, a rapidly growing e-commerce platform, has recently experienced suspicious activities suggesting that sensitive customer data might have been compromised. An internal audit reveals that a developer inadvertently exposed database credentials by keeping secretfiles in repository and pushing it to a public Git repository. Additionally, the application was not utilizing Docker secrets effectively, leading to plaintext exposure of sensitive information within running containers. | ||
|
||
You have been hired as Technical Security Consultant, your job is to secure the exposed secrets to protect the sensitive information? For now identify the misconfigurations and report the database password to fix the situation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
This challenge can be solved using the following ways: | ||
|
||
- *Acme Inc*. has a misconfigured `challenge51docker-compose.yml` file where sensitive information is exposed. Your task is to find these vulnerabilities. | ||
1. Clone the repository containing the challenge files. | ||
2. Locate the `challenge51docker-compose.yml` file in the repository. | ||
3. Identify credentials: | ||
Within the environmentsd section in challenge49docker-compose.yml, check for variables like: | ||
* `db_user` | ||
* `db_password` | ||
* `db_name` | ||
4. Now you can run the Docker Compose commands to build and run your service: | ||
- ``` | ||
export DOCKER_BUILDKIT=1 | ||
docker compose -f k8s/challenge51docker-compose.yml build | ||
docker compose -f k8s/challenge51docker-compose.yml run myservice | ||
```. | ||
5. The answer is in the output |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
= Docker Compose Secrets Misconfiguration Challenge | ||
|
||
*Why Improper Secret Management in Docker Compose Can Lead to Vulnerabilities* | ||
|
||
In containerized environments, secret management is critical to maintaining the confidentiality and integrity of sensitive information such as database credentials, API keys, and other secrets. Docker Compose offers a convenient way to define and manage secrets, but improper handling of these secrets can expose your system to attacks. | ||
|
||
A common mistake is to pass secrets directly via environment variables or commit secret files into version control. This approach is flawed because: | ||
|
||
1. **Secrets are visible in the environment**: Environment variables are easy to inspect using basic system commands or logging, which may lead to unintentional exposure. | ||
2. **Hardcoding secrets in Dockerfiles**: When secrets are embedded in the Dockerfile or `docker-compose.yml`, they become part of the build process and are included in the image layers. Anyone with access to the image can inspect these layers and retrieve the secret. | ||
3. **Committing secret files to version control**: Storing secrets in files and committing them to Git or other version control systems introduces significant risks, as anyone with access to the repository can obtain the secrets. | ||
*Why This Challenge?* | ||
|
||
The purpose of this challenge is to highlight the risks associated with improper secret management in Docker Compose. Specifically, it demonstrates the dangers of using environment variables and file-based secrets incorrectly. Although Docker Compose provides mechanisms to handle secrets securely, such as Docker secrets and external secret management solutions, developers may often overlook these features for convenience. | ||
|
||
This challenge simulates a scenario where: | ||
|
||
- Database credentials (`db_user`, `db_password`, and `db_name`) are stored in a secret file and referenced in the `docker-compose`. | ||
- These secrets are improperly managed and can be easily exposed by anyone with access to the environment or the repository. | ||
*Key Learning Points:* | ||
|
||
- **Avoid using environment variables for secrets**: While convenient, environment variables are not secure for managing sensitive information. Use Docker secrets or external tools like Vault or AWS Secrets Manager instead. | ||
- **Do not commit secrets to version control**: Always keep secret files out of your repository by using `.gitignore` or secure secret management solutions. | ||
- **Ensure secrets are not baked into images**: Secrets should not be embedded in the Docker image itself; they should be injected at runtime or securely retrieved via an external service. | ||
By completing this challenge, you will learn how easy it is for attackers to gain access to improperly managed secrets and the best practices for securing secrets in Docker Compose environments. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters