Skip to content

feat(lab9): falco custom rules + conftest hardening policies#9

Merged
RII6 merged 1 commit into
mainfrom
feature/lab9
Jun 29, 2026
Merged

feat(lab9): falco custom rules + conftest hardening policies#9
RII6 merged 1 commit into
mainfrom
feature/lab9

Conversation

@RII6

@RII6 RII6 commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Goal

Adds Falco runtime detection rules and Conftest policy-as-code hardening checks to fulfill Lab 9 requirements.

Changes

  • Created custom Falco rules for detecting writes to /tmp and cryptominer network activity in labs/lab9/falco/rules/custom-rules.yaml.
  • Added Rego policies to enforce Pod Security Standards (runAsNonRoot, allowPrivilegeEscalation, and dropping ALL capabilities) in labs/lab9/policies/extra/hardening.rego.
  • Completed the submissions/lab9.md report with Falco JSON alerts, Conftest test results, and reflections.

Testing

  • Tested Falco rules by executing anomalous commands (echo "test" > /tmp/my-write.txt, nc 127.0.0.1 3333) inside the target container and verifying the JSON alerts in the output logs.
  • Verified Conftest policies locally using conftest test against compliant (juice-hardened.yaml) and non-compliant (juice-unhardened.yaml) manifests, ensuring proper passes and failures.

Artifacts & Screenshots

  • All requested JSON alerts and test outputs have been recorded in submissions/lab9.md.

Checklist

  • Task 1 — 2 baseline + 1 custom Falco alert with tuning discussion
  • Task 2 — ≥3 Conftest rules (K8s pass/fail) + shipped compose policy run
  • Bonus — Cryptominer detection rule with triggered alert

@RII6 RII6 merged commit 35a33bd into main Jun 29, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant