69 lines
1.5 KiB
Markdown
69 lines
1.5 KiB
Markdown
# Monty Container Hardening (Runtime Enablement)
|
|
|
|
This guide enables optional seccomp/AppArmor hardening for the Monty execution lane.
|
|
|
|
## Prerequisites
|
|
- Docker/Compose supports `security_opt` and `profiles`.
|
|
- Host supports seccomp (most modern Linux).
|
|
- AppArmor (optional) is enabled on the host.
|
|
|
|
## Enable hardened profile (seccomp only)
|
|
|
|
From repo root:
|
|
|
|
```sh
|
|
docker compose \
|
|
-f docker-compose.yml \
|
|
-f infra/compose/docker-compose.monty-hardened.yml \
|
|
--profile monty-hardened \
|
|
up -d
|
|
````
|
|
|
|
This applies:
|
|
|
|
* seccomp “no-network syscall” blocklist
|
|
* read-only container filesystem
|
|
* tmpfs for /tmp and /var/tmp
|
|
* no-new-privileges
|
|
* cap_drop=ALL
|
|
|
|
## Enable AppArmor (optional)
|
|
|
|
1. Load the profile:
|
|
|
|
```sh
|
|
sudo apparmor_parser -r -W infra/apparmor/threegate-monty
|
|
```
|
|
|
|
2. Uncomment or add in `infra/compose/docker-compose.monty-hardened.yml`:
|
|
|
|
```yaml
|
|
security_opt:
|
|
- apparmor:threegate-monty
|
|
```
|
|
|
|
3. Restart the service:
|
|
|
|
```sh
|
|
docker compose \
|
|
-f docker-compose.yml \
|
|
-f infra/compose/docker-compose.monty-hardened.yml \
|
|
--profile monty-hardened \
|
|
up -d --force-recreate
|
|
```
|
|
|
|
## Verification
|
|
|
|
* In the Monty container, attempts to open sockets should fail.
|
|
* Your normal Monty tool requests should still run.
|
|
|
|
## Why this is defense-in-depth
|
|
|
|
Monty already limits capabilities at the interpreter level, but:
|
|
|
|
* seccomp reduces syscall attack surface
|
|
* AppArmor adds filesystem and capability controls
|
|
* read-only root limits persistence
|
|
|
|
These controls are optional but recommended for higher-assurance deployments.
|