feat(lab9): falco custom rules + conftest hardening policies#1437
Open
m1d0rfeed wants to merge 1 commit into
Open
feat(lab9): falco custom rules + conftest hardening policies#1437m1d0rfeed wants to merge 1 commit into
m1d0rfeed wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
This PR implements runtime security monitoring and policy-as-code hardening for the DevSecOps-Intro course (Lab 9), combining runtime incident detection with Falco and preventive configuration validation with Conftest.
Changes
Falco Runtime Security - Task 1 and Bonus
Added
labs/lab9/falco/rules/custom-rules.yaml.Added the custom
Write to /tmp by containerrule.The rule detects file writes under
/tmp/from containerized processes using theopen_writemacro.Included the required container name, user, file path, and process command line in the alert output.
Set the custom rule priority to
WARNINGwith the tags[container, drift].Documented rule tuning considerations using structured Falco
exceptions:blocks and narrow process exclusions.Added the bonus
Possible Cryptominer Activityrule withCRITICALpriority.The bonus rule combines two detection indicators:
Added the required tags:
container;mitre_execution;mitre_command_and_control.Conftest Policy-as-Code - Task 2
Added
labs/lab9/policies/extra/hardening.rego.Implemented five Kubernetes hardening checks:
runAsNonRoot: trueat pod or container level;allowPrivilegeEscalation: false;ALLLinux capability;resources.limits.memory;@sha256digest.Validated the policy against both hardened and unhardened Kubernetes manifests.
Tested the provided Docker Compose policy from
compose-security.rego.Documented the difference between CI-time and admission-time policy enforcement.
Testing
Falco
Ran Falco
0.43.1using the modern eBPF probe.Triggered and captured the baseline
Terminal shell in containeralert.Triggered and captured the baseline
Read sensitive file untrustedalert by reading/etc/shadow.Triggered the custom
/tmprule by writing/tmp/final-write.txtinsidelab9-target.Verified that the custom alert included:
Triggered the bonus cryptominer rule with:
Captured a
CRITICALalert containing:container=lab9-target;process=nc;command=nc -w 2 127.0.0.1 3333;addr=127.0.0.1:3333.Conftest
Executed the hardened Kubernetes manifest test:
conftest test labs/lab9/manifests/k8s/juice-hardened.yaml \ --policy labs/lab9/policies/extra/Result:
Executed the unhardened Kubernetes manifest test:
conftest test labs/lab9/manifests/k8s/juice-unhardened.yaml \ --policy labs/lab9/policies/extra/Result:
Tested the hardened Docker Compose manifest:
Tested an intentionally unhardened Docker Compose manifest:
The Compose policy correctly detected:
read_only: true;cap_drop: [ALL].Checklist
feat(labN): ...stylesubmissions/lab9.md