Skip to content

feat(lab9): Falco custom rules + Conftest hardening policies#1450

Open
alberto-de-swerto wants to merge 1 commit into
inno-devops-labs:mainfrom
alberto-de-swerto:feature/lab9
Open

feat(lab9): Falco custom rules + Conftest hardening policies#1450
alberto-de-swerto wants to merge 1 commit into
inno-devops-labs:mainfrom
alberto-de-swerto:feature/lab9

Conversation

@alberto-de-swerto

Copy link
Copy Markdown

Lab 9 β€” runtime detection (Falco) + policy-as-code (Conftest). Write-up in submissions/lab9.md.

What I did

  • Task 1 β€” Falco: ran Falco 0.43.1 with the modern eBPF probe and captured two baseline alerts (Terminal shell in container, Read sensitive file untrusted) plus a custom rule Write to /tmp by container that fires on the test write.
  • Task 2 β€” Conftest: wrote labs/lab9/policies/extra/hardening.rego (5 rules: runAsNonRoot, allowPrivilegeEscalation, drop ALL caps, memory limit, digest-pinned image). Hardened manifest passes (10/10), unhardened fails with all 5 denies; also ran the shipped compose policy (pass on juice-compose, fail on a bad compose).
  • Bonus β€” cryptominer rule: Possible Cryptominer Activity combines two indicators (mining-pool ports + known miner process names), CRITICAL; fires on a miner-named process.

Notes

  • Falco ran on Colima (real Ubuntu 6.8 kernel + BTF), per the lab's macOS pitfall note.
  • Honest caveat in the write-up: on this host neither Docker Desktop nor the Colima VM exposes the per-syscall sys_enter_connect tracepoint, so Falco can't read the connect destination (fd.sport=<NA>). That only affects the cryptominer rule's port branch, so I trigger that rule via its process-name branch and explain the limitation.
  • Only the 3 lab9 files are committed (falco/rules/custom-rules.yaml, policies/extra/hardening.rego, submissions/lab9.md). Falco logs are gitignored; alerts are pasted into the submission.

Checklist

  • Task 1 β€” 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 β€” 5 Conftest rules (K8s pass/fail) + shipped compose policy run
  • Bonus β€” Cryptominer detection rule with triggered alert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant