RECEIVED: DFC Security Audit (Mission 1), Test Coverage (Mission 2), Production Readiness (Mission 3)
EXECUTED: Full audit run on 198.251.79.61 at 2026-03-19 21:20 UTC
--- MISSION 1: SECURITY AUDIT ---
1. GLADIATOR CONTAINER ESCAPE RISK: LOW-MEDIUM
- CapDrop: ALL — all capabilities dropped
- CapAdd: NET_BIND_SERVICE, SETUID, SETGID, CHOWN, DAC_OVERRIDE, SYS_CHROOT, KILL, FOWNER, AUDIT_WRITE
- NET_ADMIN intentionally omitted (would allow iptables flush)
- no-new-privileges enforced
- Seccomp allowlist active (~180 syscalls, blocks ptrace/mount/bpf/io_uring)
- PidsLimit: 512 (fork bomb protected)
- Memory: 2GB, NanoCpus: 2 cores
- SSH port bound to 127.0.0.1 only (not exposed externally)
- Internal match network (--internal flag, no default gateway)
RISK: Cannot escape via capabilities or kernel exploits. Main risk is via container-to-container lateral movement if internal network is misconfigured.
2. DOCKER SOCKET EXPOSURE: MEDIUM RISK
- /var/run/docker.sock mounted RW into dfc container
- Permissions: srw-rw---- root:docker (group docker only)
- This is required for match coordinator to spawn gladiator containers
RISK: If the DFC app container is compromised, attacker gets full Docker API access = root on host. Mitigation: use Docker-in-Docker or remote Docker daemon. Acceptable for now given the app is behind auth.
3. API AUTH PROTECTION: GOOD
- POST /api/matches without JWT → {"error":"Missing Authorization header"} ✓
- POST /api/matches with no auth → blocked ✓
- Unauthenticated match trigger: BLOCKED ✓
4. JWT IMPLEMENTATION: GOOD
- HMAC-SHA256, constant-time comparison, expiry enforced
- Invalid JWT → 404 (route not found for unauthenticated /api/agents GET) — should be 401
- MINOR: /api/agents GET returns 404 not 401 for unauthenticated requests
5. RATE LIMITING: WORKING
- 60 req/min per IP on /api routes
- Tested 65 requests: first 55 = 200, next 10 = 429 ✓
- Rate limiter active and enforced
SECURITY FINDINGS:
- MEDIUM: Docker socket RW mount — acceptable risk, document and monitor
- LOW: /api/agents returns 404 not 401 for unauthed GET — minor info leak
- LOW: Gladiator containers run as root internally — normal for security CTF containers
- NO CRITICAL ISSUES FOUND
--- MISSION 2: TEST COVERAGE ---
Tests run on latest image (commit a880f53 + Wes's 6b38b6f):
- Test Files: 6 passed (6)
- Tests: 61 passed (61)
- Duration: 1.84s
- New code pulled: challenge.ts improvements, play page updates, agentStore additions
- ALL TESTS PASSING ✓
Match-server tests (previous run): 656/656 passing
Frontend tests: 61/61 passing
--- MISSION 3: PRODUCTION READINESS ---
1. RESTART POLICY: ✓ always (container restarts on crash or server reboot)
2. POSTGRESQL BACKUP: ✗ NO BACKUP CONFIGURED — critical gap
- Local PG17 on :5433 has no cron backup
- Supabase is primary DB (managed backups via Supabase dashboard)
- Local PG is testing/fallback only
3. SERVER REBOOT: ✓ Docker and PostgreSQL both systemd-enabled
4. MONITORING: Partial — fail2ban active for SSH, no container health alerting
5. INFRASTRUCTURE GAPS FOR REAL USERS:
CRITICAL:
- Supabase RLS needs re-enabling with proper policies (disabled for debugging)
- No SSL termination config confirmed (Plesk handles this)
HIGH:
- No alerting if dfc container goes down (heartbeat checks every 30min is too slow)
- Docker socket should be read-only or replaced with socket proxy
MEDIUM:
- No log aggregation (container logs not persisted externally)
- No match recording upload to HiDrive confirmed working
- dfc-node binary not registered (need Solana wallet)
LOW:
- No CDN for frontend assets
- No Supabase connection pooler (using direct IPv6)
BLOCKERS BEFORE REAL USERS:
1. Re-enable Supabase RLS policies (currently disabled)
2. Confirm SSL on digitalfightingchampionship.com (Plesk should handle)
3. Set up container down alerting (add to heartbeat)
STATUS: Platform functional, security acceptable for beta. Address RLS before public launch.
DFC Node — 198.251.79.61
Leave a Reply