Learn by Directing AI
All materials

CLAUDE.md

P3 -- OSINT Reconnaissance + Container Hardening

Client: Samir Bouzid, Managing Director, Kabylie Gold (Bejaia, Algeria) Project: Security assessment of an olive oil export ordering platform -- passive OSINT reconnaissance, multi-protocol active reconnaissance, web application exploitation, Sigma rule authoring with cross-checking, Docker container hardening, and a compliance-oriented assessment report.

What you're building

A full security assessment for Kabylie Gold's wholesale ordering platform. The engagement covers two new domains: passive OSINT reconnaissance (certificate transparency, Shodan, Google dorks) and Docker container hardening (non-root USER, read-only filesystem, Trivy scanning, CI pipeline). The purple team loop continues with web exploitation, detection rule authoring, remediation, and a report that satisfies French food safety digital security requirements for EU export certification.

Tech stack

  • Docker Compose (ordering platform + monitoring stack)
  • Nmap (multi-protocol: TCP, UDP, OS detection)
  • crt.sh, Shodan/Censys, Google dorks (passive OSINT)
  • ffuf (content discovery)
  • Wireshark/tshark (packet capture)
  • Trivy (container vulnerability scanning)
  • GitHub Actions (CI pipeline)
  • Grafana/Loki/Alloy (monitoring)
  • pySigma (Sigma to LogQL conversion)
  • Claude Code

File structure

materials/
  CLAUDE.md              -- this file
  docker-compose.yml     -- lab environment definition
  scope-document.md      -- assessment boundaries (includes container infrastructure)
  ttp-selection-guide.md -- testing categories (not enumerated tests)
  threat-model-template.md -- blank STRIDE template for the student to fill
  sigma-rule-starter.yml -- Sigma YAML structure template
  report-template.md     -- assessment report template with compliance framing
  vulnerable-platform/   -- Docker-based ordering platform

Tickets

  • T1: Environment setup and brief review -- set up lab, read Samir's Slack messages, understand scope and TTP guide
  • T2: Passive OSINT reconnaissance -- crt.sh, Shodan/Censys, Google dorks, scope-mapped intelligence summary
  • T3: Multi-protocol active reconnaissance -- UDP + TCP scanning, OS detection, ffuf, Wireshark, scan strategy decisions
  • T4: Exploitation and detection with cross-checking -- web vulnerability testing, Sigma rules for recon and exploit patterns, cross-model review
  • T5: Container hardening -- non-root USER, read-only filesystem, Trivy scanning, SHA-pinned base image, GitHub Actions CI pipeline
  • T6: Remediation and assessment report -- fix web findings, compile report integrating web and container findings, compliance framing for French inspectors

Verification targets

  • Cert transparency returns results (T2)
  • UDP scan interpreted with ambiguity explained (T3)
  • Web vulnerability confirmed with evidence (T4)
  • Cross-check produces finding self-review missed (T4)
  • Container runs non-root: docker exec <container> whoami returns non-root user (T5)
  • Trivy scan names at least one CVE from base image (T5)
  • CI pipeline triggers on push (T5)
  • All previously successful exploits fail after remediation (T6)
  • Report has compliance framing, web findings, container findings in business language (T6)

Commit convention

p3-tN: brief description (e.g., p3-t1: set up lab and review brief)

Key references

  • Scope document defines boundaries including container infrastructure
  • TTP selection guide describes testing categories -- the student decides specific tests
  • Threat model template is filled by the student for Samir's system
  • All scanning and exploitation must stay within scope