Skip to content

feat(lab9): falco custom rules + conftest hardening policies#1430

Open
semyonnadutkin wants to merge 6 commits into
inno-devops-labs:mainfrom
semyonnadutkin:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies#1430
semyonnadutkin wants to merge 6 commits into
inno-devops-labs:mainfrom
semyonnadutkin:feature/lab9

Conversation

@semyonnadutkin

Copy link
Copy Markdown

Goal

Detect runtime threats using Falco and enforce security policies with Conftest.

Changes

  • Added submissions/lab9.md, labs/lab9/falco/rules/custom-rules.yaml, labs/lab9/policies/extra/hardening.rego

Testing

The Falco cryptominer detection rule was validated by starting a TCP server on 127.0.0.1:3333 and generating a connection with nc, simulating traffic to a mining pool port.

Commands executed:

# Start the server
docker exec -d lab9-target /bin/sh -c 'nc -l -p 3333'

# Connect to the server
docker exec lab9-target /bin/sh -c 'nc -z 127.0.0.1 3333'

# Check if the rule fired
sleep 15
grep "Cryptominer" labs/lab9/falco/logs/falco.log

Observed output:

{"hostname":"1cd21273f0bd","output":"2026-07-06T23:05:05.771201256+0000: Critical Possible Cryptominer Activity (container=lab9-target proc=nc -z 127.0.0.1 3333 target=<NA>:3333) container_id=5e75ca991d02 container_name=lab9-target container_image_repository=alpine container_image_tag=3.20 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"5e75ca991d02","container.image.repository":"alpine","container.image.tag":"3.20","container.name":"lab9-target","evt.time.iso8601":1783379105771201256,"fd.rip.name":null,"fd.rport":3333,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"nc -z 127.0.0.1 3333"},"priority":"Critical","rule":"Possible Cryptominer Activity","source":"syscall","tags":["container","mitre_command_and_control","mitre_execution"],"time":"2026-07-06T23:05:05.771201256Z"}

Artifacts & Screenshots

Artifacts

  • submissions/lab9.md
  • labs/lab9/falco/rules/custom-rules.yaml
  • labs/lab9/policies/extra/hardening.rego

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets/large temp files committed
  • Submission file at submissions/labN.md exists
  • Task 1 — 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 — ≥3 Conftest rules (K8s pass/fail) + shipped compose policy run
  • Bonus — Cryptominer detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant