Skip to content

feat(lab9): falco custom rules + conftest hardening policies#1423

Open
d13-l1t3 wants to merge 1 commit into
inno-devops-labs:mainfrom
d13-l1t3:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies#1423
d13-l1t3 wants to merge 1 commit into
inno-devops-labs:mainfrom
d13-l1t3:feature/lab9

Conversation

@d13-l1t3

@d13-l1t3 d13-l1t3 commented Jul 4, 2026

Copy link
Copy Markdown

Goal

This PR implements runtime security monitoring and policy-as-code hardening for the DevSecOps-Intro course (Lab 9), addressing both incident detection (Falco) and configuration prevention (Conftest).

Changes

  • Falco Runtime Security (Task 1 & Bonus):
    • Added a custom rule (custom_rules.yaml) to detect unauthorized writes to /tmp inside containers.
    • Implemented tuning considerations (exceptions block) for the /tmp rule to prevent false positives from legitimate logging frameworks.
    • Added a bonus CRITICAL rule to detect cryptomining activity by intercepting the execution (execve) of known miner processes like xmrig.
  • Conftest Policy-as-Code (Task 2):
    • Created hardening.rego with 5 distinct deny rules for Kubernetes manifests (enforcing runAsNonRoot, disabling allowPrivilegeEscalation, dropping ALL capabilities, enforcing memory limits, and requiring sha256 image digests).
    • Validated policies against both secure and insecure deployment manifests.
    • Verified Docker Compose security policies using the provided compose-security.rego.

Testing

  • Falco:
    • Verified the Write to /tmp by container rule by executing a shell inside the target container and touching a file in /tmp.
    • Tested the cryptominer rule by copying a binary to /tmp/xmrig and triggering an execve syscall, resulting in a CRITICAL alert.
  • Conftest:
    • Ran conftest test labs/lab9/manifests/k8s/juice-hardened.yaml --policy labs/lab9/policies/extra/ (0 failures).
    • Ran conftest test labs/lab9/manifests/k8s/juice-unhardened.yaml --policy labs/lab9/policies/extra/ (5 failures correctly identifying security misconfigurations).
    • Validated compose files showing consistent Rego policy evaluation across different formats.

Artifacts & Screenshots

  • Submission file: submissions/lab9.md (Contains all rule definitions, JSON alert outputs, and required reflections on CI vs Admission time and SLA matrices).

Checklist

  • Title is clear (feat(labN): style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab9.md exists
  • Task 1 — 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 — ≥3 Conftest rules (K8s pass/fail) + shipped compose policy run
  • Bonus — Cryptominer detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant