SCIA-360 Hands-On Labs¶
Course: SCIA-360 ยท Operating System Security
Frostburg State University โ Department of Computer Science & Information Technology
Lab Program Overview¶
This lab series provides 13 Docker-based hands-on exercises that complement the SCIA-360 lecture materials. Each lab explores real OS security mechanisms directly โ using /proc, unshare, chroot, strace, capsh, and more โ all safely inside isolated Docker containers. No special hardware required.
What You Need
- A computer running Windows 10/11, macOS, or Linux
- Docker Desktop installed โ Download here
- A terminal (PowerShell on Windows, Terminal on macOS/Linux)
- Approximately 1โ1.5 hours per lab
Lab Philosophy
SCIA-360 labs go deeper than SCIA-120. You will interact directly with kernel interfaces (/proc/sys), compile C programs, manipulate Linux namespaces, and exploit SUID misconfigurations in a controlled environment. The goal is to understand why OS security mechanisms exist by seeing them work โ and fail.
Lab Schedule¶
| Lab | Title | Topic | Ch. | Difficulty | Time |
|---|---|---|---|---|---|
| Lab 01 | Exploring OS Security Layers โ /proc, Kernel & User Space | OS Intro | 1 | โญ | 45โ60 min |
| Lab 02 | Process Security โ Credentials, /proc & Signals | Process Mgmt | 2 | โญ | 45โ60 min |
| Lab 03 | Memory Protections โ ASLR, Stack Canaries & NX | Memory Security | 3 | โญโญ | 60โ75 min |
| Lab 04 | File System Security โ ACLs, SUID, SGID & Sticky Bit | FS Security | 4 | โญ | 45โ60 min |
| Lab 05 | PAM & Password Policy โ Authentication Hardening | OS Auth | 5 | โญโญ | 60โ75 min |
| Lab 06 | Linux Capabilities โ Dropping Root, Least Privilege | Access Control | 6 | โญโญ | 45โ60 min |
| Lab 07 | Syscall Filtering with seccomp | Security Policies | 7 | โญโญ | 45โ60 min |
| Lab 08 | chroot Jail โ Filesystem Isolation the Old Way | Sandboxing | 8 | โญโญ | 45โ60 min |
| Lab 09 | Linux Namespaces โ Building Blocks of Containers | Containerization | 8 | โญโญ | 60โ75 min |
| Lab 10 | Privilege Escalation via SUID Binaries | Vulnerabilities | 9 | โญโญ | 60โ75 min |
| Lab 11 | System Audit Logging with inotifywait | Linux Architecture | 11 | โญโญ | 60โ75 min |
| Lab 12 | OS Hardening โ CIS Benchmark Checks | Hardening | 14 | โญโญ | 60โ75 min |
| Lab 13 | Capstone โ Build, Harden & Audit a Containerized System | All topics | โ | โญโญโญ | 90โ120 min |
Learning Progression¶
Labs 01โ04 Labs 05โ07 Labs 08โ09 Labs 10โ12 Lab 13
Kernel & /proc โ Auth & Policy โ Isolation โ Attacks & โ Capstone
Process, Memory, PAM, Capabilities, chroot, Defenses Integration
File System seccomp Namespaces SUID, Logging,
Hardening
Assessment Structure¶
Each lab is worth 100 points:
| Component | Points |
|---|---|
| Screenshot submission (6โ10 per lab, labeled) | 40 |
| Analysis table or comparison exercise | 20 |
| Reflection questions (4 per lab) | 40 |
Lab 13 (Capstone) uses a modified rubric: Screenshots+table (30) + Hardening applied (20) + Final audit score (20) + Essay (30).
Difficulty Guide¶
| Symbol | Level | Description |
|---|---|---|
| โญ | Beginner | Basic Linux commands, reading /proc output |
| โญโญ | Intermediate | C compilation, namespace manipulation, exploitation |
| โญโญโญ | Advanced | Integrates all prior labs into a full hardening exercise |
Key Docker Flags Used in This Course¶
Some labs require elevated Docker privileges to access kernel features:
| Flag | Labs | Why needed |
|---|---|---|
--privileged | 09 | unshare for namespace manipulation |
--cap-add SYS_PTRACE | 07 | strace to trace syscalls |
--cap-add NET_ADMIN | 06 | iptables and network configuration |
--security-opt seccomp=unconfined | 07 | Disable seccomp to observe its effect |
--cap-drop ALL | 06 | Demonstrate zero-capability baseline |
Privilege Flags
Flags like --privileged should never be used in production containers. They are used here only to observe how kernel features work. Part of the learning is understanding why these flags are dangerous.
Technical Troubleshooting¶
unshare fails with 'unshare: unshare failed: Operation not permitted'
The lab requires --privileged: docker run --rm --privileged ubuntu:22.04 bash
strace says 'strace: attach: ptrace(PTRACE_SEIZE, PID): Operation not permitted'
Add --cap-add SYS_PTRACE --security-opt seccomp=unconfined to the docker run command.
gcc not found after apt-get install
Make sure you are running all commands in the same docker run session. If you exit and re-enter, run apt-get install again.
chroot fails with 'chroot: cannot change root directory: No such file or directory'
Ensure you created the jail directory and copied all required files and libraries first (Part 1 of Lab 08).
A port is already in use on the host
Change the host port: -p 9090:80 instead of -p 8080:80.
Labs authored for SCIA-360 ยท Frostburg State University ยท Department of Computer Science & Information Technology ยท Spring 2026