Skip to content

feat(lab9): falco custom rules + conftest hardening policies#1447

Open
StefFashka wants to merge 2 commits into
inno-devops-labs:mainfrom
StefFashka:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies#1447
StefFashka wants to merge 2 commits into
inno-devops-labs:mainfrom
StefFashka:feature/lab9

Conversation

@StefFashka

Copy link
Copy Markdown

Goal

Run Falco with modern eBPF, trigger baseline and custom runtime alerts, add Conftest hardening policies, and document Lab 9 evidence.

Changes

  • labs/lab9/falco/rules/custom-rules.yaml β€” added custom Falco rules for /tmp writes and possible cryptominer activity.
  • labs/lab9/policies/extra/hardening.rego β€” added Kubernetes hardening policies for non-root execution, privilege escalation, dropped capabilities, memory limits, and digest-pinned images.
  • labs/lab9/policies/compose-security.rego β€” hardened compose policy checks for missing cap_drop and security_opt fields.
  • submissions/lab9.md β€” added the Lab 9 submission report with Falco alerts, Conftest outputs, tuning notes, and bonus reflection.

Testing

docker run -d --name lab9-target alpine:3.20 sleep 1d
# Expected: target container starts

docker run -d --name falco --privileged `
  -v /proc:/host/proc:ro `
  -v /boot:/host/boot:ro `
  -v /lib/modules:/host/lib/modules:ro `
  -v /usr:/host/usr:ro `
  -v /var/run/docker.sock:/host/var/run/docker.sock `
  -v "${PWD}/labs/lab9/falco/rules:/etc/falco/rules.d:ro" `
  falcosecurity/falco:0.43.1 `
  falco -U -o json_output=true -o time_format_iso_8601=true -o watch_config_files=false
# Expected: Falco starts and logs "Opening 'syscall' source with modern BPF probe."

docker exec -t lab9-target /bin/sh -lc 'echo "shell-in-container final test"'
# Expected: Falco rule "Terminal shell in container" fires

docker exec lab9-target /bin/sh -lc 'cat /etc/shadow > /dev/null'
# Expected: Falco rule "Read sensitive file untrusted" fires

docker exec --user 0 lab9-target /bin/sh -lc 'echo "test" > /tmp/my-write-final.txt'
# Expected: Falco rule "Write to /tmp by container" fires

docker exec lab9-target /bin/sh -c 'nc -w 2 127.0.0.1 3333' 2>$null
# Expected: Falco rule "Possible Cryptominer Activity" fires

docker run --rm -v "${PWD}:/project" -w /project openpolicyagent/conftest:v0.68.0 `
  test labs/lab9/manifests/k8s/juice-hardened.yaml `
  --policy labs/lab9/policies/extra/ --no-color
# Expected: 10 tests, 10 passed, 0 warnings, 0 failures, 0 exceptions

docker run --rm -v "${PWD}:/project" -w /project openpolicyagent/conftest:v0.68.0 `
  test labs/lab9/manifests/k8s/juice-unhardened.yaml `
  --policy labs/lab9/policies/extra/ --no-color
# Expected: 5 failures for missing hardening controls

docker run --rm -v "${PWD}:/project" -w /project openpolicyagent/conftest:v0.68.0 `
  test labs/lab9/manifests/compose/juice-compose.yml `
  --policy labs/lab9/policies/compose-security.rego `
  --namespace compose.security --no-color
# Expected: 4 tests, 4 passed, 0 warnings, 0 failures, 0 exceptions

Artifacts & Screenshots

Submission report: submissions/lab9.md
Falco custom rules: labs/lab9/falco/rules/custom-rules.yaml
K8s Conftest policy: labs/lab9/policies/extra/hardening.rego
Compose Conftest policy: labs/lab9/policies/compose-security.rego
Falco log evidence: pasted into submissions/lab9.md; raw logs are not committed because labs/lab9/falco/logs/ is ignored.

Required checklist:

  • Task 1 β€” 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 β€” β‰₯3 Conftest rules (K8s pass/fail) + shipped compose policy run
  • Bonus β€” Cryptominer detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant