Skip to content

feat(lab9): falco custom rules + conftest hardening policies#1427

Open
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies#1427
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab9

Conversation

@Muratich

@Muratich Muratich commented Jul 5, 2026

Copy link
Copy Markdown

Goal

Lab 9: runtime detection with Falco (baseline + custom rules) and Kubernetes hardening checks with Conftest, documented in submissions/lab9.md.

Changes

  • Added / updated:
    • submissions/lab9.md
    • labs/lab9/falco/rules/custom-rules.yaml
    • labs/lab9/policies/extra/hardening.rego
    • labs/lab9/falco/logs/.gitkeep
  • Other changes:
    • Custom Falco rule: Write to /tmp by container
    • Bonus Falco rule: Possible Cryptominer Activity
    • Conftest policies: runAsNonRoot, allowPrivilegeEscalation, capabilities.drop ALL, resources.limits.memory, image digest pinning

Testing

  • Commands run:
    • docker run -d --name lab9-target alpine:3.20 sleep 1d
    • docker run -d --name falco --privileged ... falcosecurity/falco:0.43.1 falco -U -o json_output=true -o time_format_iso_8601=true
    • docker exec lab9-target /bin/sh -lc 'echo "shell-in-container test"'
    • docker exec lab9-target /bin/sh -lc 'cat /etc/shadow'
    • docker exec --user 0 lab9-target /bin/sh -lc 'echo "test" > /tmp/my-write.txt'
    • docker exec lab9-target /bin/sh -c 'apk add --no-cache netcat-openbsd && nc -w 2 127.0.0.1 3333'
    • conftest test labs/lab9/manifests/k8s/juice-hardened.yaml --policy labs/lab9/policies/extra/
    • conftest test labs/lab9/manifests/k8s/juice-unhardened.yaml --policy labs/lab9/policies/extra/
    • conftest test labs/lab9/manifests/compose/juice-compose.yml --policy labs/lab9/policies/compose-security.rego --namespace compose.security
    • conftest test $env:TEMP/bad-compose.yml --policy labs/lab9/policies/compose-security.rego --namespace compose.security
  • Observed output:
    • Falco: Terminal shell in container, Read sensitive file untrusted, Write to /tmp by container, Possible Cryptominer Activity (JSON alerts in submission)
    • Conftest hardened K8s: 10 tests, 10 passed, 0 failures
    • Conftest unhardened K8s: 4 failures (runAsNonRoot, allowPrivilegeEscalation, memory limits, digest)
    • Conftest compose: PASS on juice-compose.yml, FAIL on bad compose (missing user + read_only)

Artifacts & Screenshots

  • submissions/lab9.md
  • labs/lab9/falco/rules/custom-rules.yaml
  • labs/lab9/policies/extra/hardening.rego
  • Screenshots / links:
    • Falco JSON alerts pasted in submissions/lab9.md
    • Conftest pass/fail output pasted in submissions/lab9.md

Checklist

  • Title is clear (feat(lab9): falco custom rules + conftest hardening policies)
  • No secrets or large temp files are committed (labs/lab9/falco/logs/ not committed, only .gitkeep)
  • Submission file at submissions/lab9.md exists
  • Task 1 — 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 — ≥3 Conftest rules (K8s pass/fail) + shipped compose policy run
  • Bonus — Cryptominer detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant