Skip to content

feat(lab9): falco custom rules and conftest policies#1438

Open
L10nff wants to merge 4 commits into
inno-devops-labs:mainfrom
L10nff:feature/lab9
Open

feat(lab9): falco custom rules and conftest policies#1438
L10nff wants to merge 4 commits into
inno-devops-labs:mainfrom
L10nff:feature/lab9

Conversation

@L10nff

@L10nff L10nff commented Jul 9, 2026

Copy link
Copy Markdown

Goal

This PR delivers Lab 9: Runtime Detection with Falco and Policy-as-Code with Conftest.

Changes

  • Added submissions/lab9.md
  • Added custom Falco rules in labs/lab9/falco/rules/custom-rules.yaml
  • Added Conftest hardening policy in labs/lab9/policies/extra/hardening.rego
  • Documented Falco baseline alerts, custom runtime detection alert, Conftest pass/fail outputs, and bonus cryptominer detection evidence
  • Updated .gitignore to exclude runtime Falco logs

Testing

Commands used:

docker run -d --name lab9-target alpine:3.20 sleep 1d

docker run -d --name falco \
  --privileged \
  -v /proc:/host/proc:ro \
  -v /boot:/host/boot:ro \
  -v /lib/modules:/host/lib/modules:ro \
  -v /usr:/host/usr:ro \
  -v /var/run/docker.sock:/host/var/run/docker.sock \
  -v "$(pwd)/labs/lab9/falco/rules":/etc/falco/rules.d:ro \
  falcosecurity/falco:0.43.1 \
  falco -U \
        -o json_output=true \
        -o time_format_iso_8601=true

docker logs -f falco > labs/lab9/falco/logs/falco.log 2>&1 &

docker exec -it lab9-target /bin/sh -lc 'echo "shell-in-container test"'
docker exec lab9-target /bin/sh -lc 'cat /etc/shadow'
docker exec --user 0 lab9-target /bin/sh -lc 'echo "test" > /tmp/my-write.txt'
docker exec lab9-target /bin/sh -c 'nc -w 2 127.0.0.1 3333' 2>/dev/null || true

grep -E "Terminal shell|shell" labs/lab9/falco/logs/falco.log | head -10
grep -E "Read sensitive file|shadow|Sensitive" labs/lab9/falco/logs/falco.log | head -10
grep "Write to /tmp by container" labs/lab9/falco/logs/falco.log | head -5
grep "Possible Cryptominer Activity" labs/lab9/falco/logs/falco.log | head -5

conftest test labs/lab9/manifests/k8s/juice-hardened.yaml \
  --policy labs/lab9/policies/extra/

conftest test labs/lab9/manifests/k8s/juice-unhardened.yaml \
  --policy labs/lab9/policies/extra/

conftest test labs/lab9/manifests/compose/juice-compose.yml \
  --policy labs/lab9/policies/compose-security.rego \
  --namespace compose.security

cat > /tmp/bad-compose.yml <<'EOF'
services:
  app:
    image: nginx:latest
    ports: ["8080:80"]
EOF

conftest test /tmp/bad-compose.yml \
  --policy labs/lab9/policies/compose-security.rego \
  --namespace compose.security

Observed output:

Falco baseline alert A fired:
Terminal shell in container

Falco baseline alert B fired:
Read sensitive file untrusted

Falco custom rule fired:
Write to /tmp by container

Falco bonus rule fired:
Possible Cryptominer Activity

K8s hardened manifest:
8 tests, 8 passed, 0 warnings, 0 failures, 0 exceptions

K8s unhardened manifest:
FAIL - labs/lab9/manifests/k8s/juice-unhardened.yaml - main - container "juice" must drop ALL Linux capabilities
FAIL - labs/lab9/manifests/k8s/juice-unhardened.yaml - main - container "juice" must set allowPrivilegeEscalation=false
FAIL - labs/lab9/manifests/k8s/juice-unhardened.yaml - main - container "juice" must set resources.limits.memory
FAIL - labs/lab9/manifests/k8s/juice-unhardened.yaml - main - container "juice" must set runAsNonRoot=true at pod or container securityContext

8 tests, 4 passed, 0 warnings, 4 failures, 0 exceptions

Compose hardened manifest:
4 tests, 4 passed, 0 warnings, 0 failures, 0 exceptions

Bad compose manifest:
FAIL - /tmp/bad-compose.yml - compose.security - services must set an explicit non-root user
FAIL - /tmp/bad-compose.yml - compose.security - services must set read_only: true

4 tests, 2 passed, 0 warnings, 2 failures, 0 exceptions

Artifacts & Screenshots

  • Submission file: submissions/lab9.md
  • Custom Falco rules: labs/lab9/falco/rules/custom-rules.yaml
  • Conftest policy: labs/lab9/policies/extra/hardening.rego
  • Evidence: Falco JSON alerts and Conftest command outputs are documented in submissions/lab9.md

Checklist

  • Title is clear (feat(lab9): runtime detection and conftest policies style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab9.md exists
  • Task 1 completed: 2 baseline Falco alerts + 1 custom alert
  • Task 2 completed: K8s Conftest policy with pass/fail evidence
  • Bonus completed: cryptominer-style Falco detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant