Skip to content

Feature/lab9#907

Open
LegendIU wants to merge 2 commits into
inno-devops-labs:mainfrom
LegendIU:feature/lab9
Open

Feature/lab9#907
LegendIU wants to merge 2 commits into
inno-devops-labs:mainfrom
LegendIU:feature/lab9

Conversation

@LegendIU
Copy link
Copy Markdown

@LegendIU LegendIU commented May 18, 2026

Summary

This PR adds my Lab 9 submission for Monitoring & Compliance.

The lab demonstrates runtime security monitoring with Falco and policy-as-code compliance checks with Conftest/OPA. It includes Falco alert evidence, a custom Falco rule, Conftest results for Kubernetes and Docker Compose manifests, and analysis in labs/submission9.md.

Task 1 β€” Falco Runtime Detection

Completed:

  • Started an Alpine helper container for runtime testing
  • Ran Falco locally in a privileged container with Docker runtime visibility
  • Captured a baseline Falco alert for terminal shell execution inside a container
  • Added a custom Falco rule to detect writes under /usr/local/bin
  • Validated the custom rule with writes to:
    • /usr/local/bin/drift.txt
    • /usr/local/bin/custom-rule.txt
  • Ran the Falco event generator to produce additional detectable runtime events
  • Saved Falco logs and alert summary

Evidence:

  • labs/lab9/falco/rules/custom-rules.yaml
  • labs/lab9/falco/logs/falco.log
  • labs/lab9/analysis/falco-alerts-summary.txt

Task 2 β€” Conftest Policy-as-Code

Completed:

  • Reviewed the provided Kubernetes and Docker Compose manifests
  • Reviewed the provided Rego policies
  • Ran Conftest against the unhardened Kubernetes manifest
  • Confirmed that the unhardened manifest fails policy checks
  • Ran Conftest against the hardened Kubernetes manifest
  • Confirmed that the hardened manifest passes all checks
  • Ran Conftest against the Docker Compose manifest
  • Confirmed that the Compose manifest passes all checks

Results:

  • juice-unhardened.yaml: 30 tests, 20 passed, 2 warnings, 8 failures
  • juice-hardened.yaml: 30 tests, 30 passed, 0 warnings, 0 failures
  • juice-compose.yml: 15 tests, 15 passed, 0 warnings, 0 failures

Evidence:

  • labs/lab9/analysis/conftest-unhardened.txt
  • labs/lab9/analysis/conftest-hardened.txt
  • labs/lab9/analysis/conftest-compose.txt

Checklist

  • Task 1 β€” Falco runtime detection
  • Task 1 β€” Baseline alert captured
  • Task 1 β€” Custom Falco rule added and validated
  • Task 1 β€” Falco event generator executed
  • Task 2 β€” Conftest run against unhardened Kubernetes manifest
  • Task 2 β€” Conftest run against hardened Kubernetes manifest
  • Task 2 β€” Conftest run against Docker Compose manifest
  • labs/submission9.md added
  • Evidence files included

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LegendIU