Skip to content

feat(lab9): falco custom rules + conftest hardening policies#1446

Open
JoraXD wants to merge 7 commits into
inno-devops-labs:mainfrom
JoraXD:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies#1446
JoraXD wants to merge 7 commits into
inno-devops-labs:mainfrom
JoraXD:feature/lab9

Conversation

@JoraXD

@JoraXD JoraXD commented Jul 9, 2026

Copy link
Copy Markdown

Goal

Complete Lab 9 runtime detection and Policy-as-Code work with Falco custom rules, Conftest hardening policies, and submission evidence.

Changes

  • Added Falco custom rules:
    • Write to /tmp by container
    • Possible Cryptominer Activity bonus rule
  • Added K8s Conftest hardening policy for:
    • non-root execution
    • allowPrivilegeEscalation: false
    • capabilities.drop: ["ALL"]
    • memory limits
    • sha256 image pinning
  • Added submissions/lab9.md with Falco alerts, Conftest outputs, tuning notes, and bonus reflection.

Testing

Falco:

  • Loaded event sources: syscall
  • Opening syscall source with modern BPF probe
  • Triggered Terminal shell in container
  • Triggered Read sensitive file untrusted
  • Triggered Write to /tmp by container
  • Triggered Possible Cryptominer Activity

conftest test labs/lab9/manifests/k8s/juice-hardened.yaml --policy labs/lab9/policies/extra/

10 tests, 10 passed, 0 warnings, 0 failures, 0 exceptions

conftest test labs/lab9/manifests/k8s/juice-unhardened.yaml --policy labs/lab9/policies/extra/

10 tests, 5 passed, 0 warnings, 5 failures, 0 exceptions

conftest test labs/lab9/manifests/compose/juice-compose.yml --policy labs/lab9/policies/compose-security.rego --namespace compose.security

4 tests, 4 passed, 0 warnings, 0 failures, 0 exceptions

conftest test /tmp/bad-compose.yml --policy labs/lab9/policies/compose-security.rego --namespace compose.security

4 tests, 2 passed, 0 warnings, 2 failures, 0 exceptions

pre-commit run --files labs/lab9/falco/rules/custom-rules.yaml labs/lab9/policies/extra/hardening.rego submissions/lab9.md

Passed

Note: pre-commit run --all-files still fails on existing Lab 6 fixture labs/lab6/vulnerable-iac/ansible/configure.yml, unrelated to this PR.

Artifacts & Screenshots

  • labs/lab9/falco/rules/custom-rules.yaml
  • labs/lab9/policies/extra/hardening.rego
  • submissions/lab9.md

  • Title is clear (feat(lab9): falco runtime detection + conftest policies)
  • No secrets/large temp files committed
  • Submission file at submissions/lab9.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant