Skip to content

feat(lab9): falco custom rules + conftest hardening policies#1437

Open
m1d0rfeed wants to merge 1 commit into
inno-devops-labs:mainfrom
m1d0rfeed:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies#1437
m1d0rfeed wants to merge 1 commit into
inno-devops-labs:mainfrom
m1d0rfeed:feature/lab9

Conversation

@m1d0rfeed

@m1d0rfeed m1d0rfeed commented Jul 9, 2026

Copy link
Copy Markdown

Goal

This PR implements runtime security monitoring and policy-as-code hardening for the DevSecOps-Intro course (Lab 9), combining runtime incident detection with Falco and preventive configuration validation with Conftest.

Changes

Falco Runtime Security - Task 1 and Bonus

  • Added labs/lab9/falco/rules/custom-rules.yaml.

  • Added the custom Write to /tmp by container rule.

  • The rule detects file writes under /tmp/ from containerized processes using the open_write macro.

  • Included the required container name, user, file path, and process command line in the alert output.

  • Set the custom rule priority to WARNING with the tags [container, drift].

  • Documented rule tuning considerations using structured Falco exceptions: blocks and narrow process exclusions.

  • Added the bonus Possible Cryptominer Activity rule with CRITICAL priority.

  • The bonus rule combines two detection indicators:

    • connections to common mining-pool ports;
    • execution of known miner process names.
  • Added the required tags:

    • container;
    • mitre_execution;
    • mitre_command_and_control.

Conftest Policy-as-Code - Task 2

  • Added labs/lab9/policies/extra/hardening.rego.

  • Implemented five Kubernetes hardening checks:

    • require runAsNonRoot: true at pod or container level;
    • require allowPrivilegeEscalation: false;
    • require dropping the ALL Linux capability;
    • require resources.limits.memory;
    • require container images pinned with an @sha256 digest.
  • Validated the policy against both hardened and unhardened Kubernetes manifests.

  • Tested the provided Docker Compose policy from compose-security.rego.

  • Documented the difference between CI-time and admission-time policy enforcement.

Testing

Falco

  • Ran Falco 0.43.1 using the modern eBPF probe.

  • Triggered and captured the baseline Terminal shell in container alert.

  • Triggered and captured the baseline Read sensitive file untrusted alert by reading /etc/shadow.

  • Triggered the custom /tmp rule by writing /tmp/final-write.txt inside lab9-target.

  • Verified that the custom alert included:

    • container name;
    • user name;
    • file path;
    • process command line.
  • Triggered the bonus cryptominer rule with:

nc -w 2 127.0.0.1 3333
  • Captured a CRITICAL alert containing:

    • container=lab9-target;
    • process=nc;
    • command=nc -w 2 127.0.0.1 3333;
    • addr=127.0.0.1:3333.

Conftest

Executed the hardened Kubernetes manifest test:

conftest test labs/lab9/manifests/k8s/juice-hardened.yaml \
  --policy labs/lab9/policies/extra/

Result:

10 tests, 10 passed, 0 warnings, 0 failures, 0 exceptions

Executed the unhardened Kubernetes manifest test:

conftest test labs/lab9/manifests/k8s/juice-unhardened.yaml \
  --policy labs/lab9/policies/extra/

Result:

10 tests, 5 passed, 0 warnings, 5 failures, 0 exceptions

Tested the hardened Docker Compose manifest:

4 tests, 4 passed, 0 warnings, 0 failures, 0 exceptions

Tested an intentionally unhardened Docker Compose manifest:

4 tests, 1 passed, 0 warnings, 3 failures, 0 exceptions

The Compose policy correctly detected:

  • missing explicit non-root user;
  • missing read_only: true;
  • missing cap_drop: [ALL].

Checklist

  • Title follows the required feat(labN): ... style
  • No secrets or large temporary files committed
  • Submission file exists at submissions/lab9.md
  • Task 1- two baseline Falco alerts captured
  • Task 1 - custom Falco rule implemented and triggered
  • Task 1 - tuning consideration documented
  • Task 2 - at least three Conftest rules implemented
  • Task 2 - Kubernetes compliant manifest passes
  • Task 2 - Kubernetes non-compliant manifest fails
  • Task 2 - provided Compose policy tested with pass and fail cases
  • Bonus - cryptominer detection rule implemented
  • Bonus - cryptominer alert successfully triggered

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant