Skip to content

feat(lab9): falco custom rules + conftest hardening policies + cryptominer detection#1418

Open
Meliman1000-7 wants to merge 25 commits into
inno-devops-labs:mainfrom
Meliman1000-7:feature/lab9
Open

feat(lab9): falco custom rules + conftest hardening policies + cryptominer detection#1418
Meliman1000-7 wants to merge 25 commits into
inno-devops-labs:mainfrom
Meliman1000-7:feature/lab9

Conversation

@Meliman1000-7

Copy link
Copy Markdown

Goal

Run Falco with modern eBPF to capture baseline runtime alerts and write a custom detection rule, then implement Conftest/Rego policies that gate Kubernetes manifests at CI time. Bonus: a Falco rule detecting cryptominer process execution by name.

Changes

  • labs/lab9/falco/rules/custom-rules.yaml — two custom Falco rules: "Write to /tmp by container" (WARNING) and "Possible Cryptominer Activity" (CRITICAL)
  • labs/lab9/manifests/good-pod.yaml — compliant K8s Pod manifest (passes all 4 Conftest rules)
  • labs/lab9/manifests/bad-pod-runasroot.yaml — non-compliant manifest (missing runAsNonRoot + allowPrivilegeEscalation=true)
  • labs/lab9/manifests/bad-pod-no-resources.yaml — non-compliant manifest (missing memory limits + runAsNonRoot)
  • labs/lab9/policies/extra/hardening.rego — 4 Rego v1 deny rules: runAsNonRoot, allowPrivilegeEscalation, capabilities.drop ALL, memory limits
  • submissions/lab9.md — full writeup: 2 baseline alerts, custom rule + fired alert, tuning discussion, Conftest outputs, CI-vs-admission analysis, cryptominer bonus

Testing

Falco startup (modern eBPF on Docker Desktop / linuxkit 6.12.76):
docker run -d --name falco --privileged --pid=host --net=host --cgroupns=host ...
→ Opening 'syscall' source with modern BPF probe

Baseline alerts triggered via falcosecurity/event-generator:
docker run --rm --privileged --pid=host falcosecurity/event-generator run syscall --loop=false
→ 16 unique rules fired including "Run shell untrusted" and "Read sensitive file untrusted"

Custom rule "Write to /tmp by container" triggered:
docker exec lab9-target /bin/sh -c 'echo "test" > /tmp/custom-rule-test.txt'
→ {"rule":"Write to /tmp by container","priority":"Warning",...}

Cryptominer rule triggered:
docker exec lab9-target /bin/sh -c 'cp /bin/sh /tmp/xmrig && /tmp/xmrig -c exit'
→ {"rule":"Drop and execute new binary in container","priority":"Critical","proc.name":"xmrig","exe_flags":"EXE_WRITABLE|EXE_UPPER_LAYER"}

Conftest policies:
conftest test labs/lab9/manifests/good-pod.yaml --policy labs/lab9/policies/extra/
→ 4 tests, 4 passed, 0 warnings, 0 failures

conftest test labs/lab9/manifests/bad-pod-runasroot.yaml --policy labs/lab9/policies/extra/
→ FAIL: must set allowPrivilegeEscalation=false, must set runAsNonRoot=true
→ 4 tests, 2 passed, 0 warnings, 2 failures

conftest test labs/lab9/manifests/bad-pod-no-resources.yaml --policy labs/lab9/policies/extra/
→ FAIL: must set resources.limits.memory, must set runAsNonRoot=true
→ 4 tests, 2 passed, 0 warnings, 2 failures

Artifacts & Screenshots

Checklist

  • Title is clear (feat(labN): style)
  • No secrets or large temp files committed (logs not committed)
  • Submission file at submissions/lab9.md exists

Meliman1000-7 and others added 25 commits June 11, 2026 17:16
feat(lab1): juice shop deploy + PR template + triage report
feat(lab2): Threagile threat model + secure variant + auth flow bonus
feat(lab3): SSH commit signing + gitleaks pre-commit + history rewrite
feat(lab4): SBOM generation + SCA with Syft/Grype + Trivy comparison + sign-ready attestation
feat(lab5): ZAP baseline + authenticated DAST + Semgrep SAST + SQL injection correlation
feat(lab6): Checkov + KICS comparison across Terraform/Ansible/Pulumi + custom policy
feat(lab7): add Trivy security scanning and Kubernetes hardening
feat(lab8): cosign image signing, sbom, provenance and blob verification
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant