Skip to content

feat(lab9): Falco runtime detection + Conftest policy gate#1449

Open
Philip-78 wants to merge 1 commit into
inno-devops-labs:mainfrom
Philip-78:feature/lab9
Open

feat(lab9): Falco runtime detection + Conftest policy gate#1449
Philip-78 wants to merge 1 commit into
inno-devops-labs:mainfrom
Philip-78:feature/lab9

Conversation

@Philip-78

Copy link
Copy Markdown

Goal

Run Falco with modern eBPF on Colima, trigger baseline + custom alerts, write Conftest/Rego policies gating K8s and Compose manifests.

Changes

  • labs/lab9/falco/rules/custom-rules.yaml β€” Write-to-/tmp rule + cryptominer process detection rule
  • labs/lab9/policies/extra/pod-hardening.rego β€” 4 extra Rego rules (namespace, automount, seccomp, runAsUser)
  • submissions/lab9.md β€” all Falco alerts, Conftest outputs, tuning discussion

Testing

  • Falco baseline: "Terminal shell in container" (Notice) + "Read sensitive file untrusted" (Warning)
  • Custom rule: "Write to /tmp by container" fired on echo > /tmp/my-write.txt
  • Cryptominer rule: fired on xmrig binary execution (Critical)
  • Conftest unhardened: 9 failures across k8s.security + extra.pod namespaces
  • Conftest compose: PASS on juice-compose.yml, FAIL on bad-compose.yml

Artifacts

  • submissions/lab9.md β€” full analysis

  • Task 1 β€” 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 β€” 3+ Conftest rules (K8s pass/fail) + compose policy run
  • Bonus β€” Cryptominer detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant