docs: add lab9 — falco runtime + conftest policies

[Uiyrte]

Goal

Implement runtime security monitoring with Falco and enforce policy-as-code compliance using Conftest/OPA to harden container deployments across Kubernetes and Docker environments.

Changes

Task 1 - Falco Runtime Detection:

• Created custom Falco rule Binary W Under UsrLocalBin to detect file writes in /usr/local/bin directory
• Configured rule to trigger on write operations (open/openat/openat2/creat) with write flags
• Deployed and tested rule in lab environment with helper container

Task 2 - Policy-as-Code Hardening:

• Kubernetes Manifests:

  • Updated juice-unhardened.yaml to juice-hardened.yaml with security improvements
  • Added SecurityContext: runAsNonRoot: true, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true, capabilities.drop: ["ALL"]
  • Implemented resource requests/limits for CPU and memory
  • Added readiness and liveness probes
  • Pinned image version from :latest to v19.0.0

• Docker Compose:

  • Configured non-root user execution
  • Set read-only filesystem with tmpfs for temporary storage
  • Dropped all Linux capabilities
  • Enabled no-new-privileges security option

Testing

Falco Testing:

• Started helper container (alpine:3.19) and spawned shell session
• Performed test writes to /usr/local/bin/drift.txt and /usr/local/bin/custom-rule.txt
• Verified custom rule triggered with WARNING severity for both write operations
• Confirmed baseline "Terminal shell in container" alert functioned as expected

Conftest Policy Validation:

• Tested unhardened manifest: Confirmed 8 policy violations (7 critical, 1 warning)
• Tested hardened manifest: Verified all policies passed with zero violations
• Tested Docker Compose manifest: Validated all 15 checks passed successfully
• Used Conftest with predefined Rego policies for Kubernetes and Docker Compose

Artifacts & Screenshots

Task 1 Artifacts:

• labs/lab9/falco/rules/custom-rules.yaml - Custom Falco rule definition
• labs/lab9/falco/logs/falco.log - Falco runtime alerts and evidence
• Terminal shell detection logs
• Custom rule trigger logs for both test writes

Task 2 Artifacts:

• labs/lab9/conftest/juice-unhardened.yaml - Original vulnerable manifest
• labs/lab9/conftest/juice-hardened.yaml - Security-hardened manifest
• labs/lab9/conftest/juice-compose.yml - Docker Compose manifest
• labs/lab9/conftest/conftest-unhardened.txt - Policy violation report
• labs/lab9/conftest/conftest-hardened.txt - Compliance verification
• labs/lab9/conftest/conftest-compose.txt - Docker Compose compliance report

Checklist

• Clear title
• Docs updated if needed
• No secrets/large temp files
• Task 1 — Falco runtime detection (alerts + custom rule)
• Task 2 — Conftest policies (fail→pass hardening)