docs(lab9): add lab9 — falco runtime + conftest policies

[3llimi]

Goal

Implement runtime threat detection with Falco and policy-as-code enforcement with Conftest (OPA/Rego) for Kubernetes and Docker Compose manifests. Covers Lab 9 Tasks 1 and 2.

Changes

• labs/lab9/falco/rules/custom-rules.yaml — custom Falco rule detecting writes to /usr/local/bin/ inside containers
• labs/lab9/falco/logs/falco.log — captured Falco alerts (Terminal shell + drift write + event generator)
• labs/lab9/manifests/k8s/juice-unhardened.yaml — baseline K8s Deployment with intentional misconfigurations (privileged, root, no limits)
• labs/lab9/manifests/k8s/juice-hardened.yaml — compliant K8s Deployment with full security context hardening
• labs/lab9/manifests/compose/juice-compose.yml — Docker Compose manifest with privileged + root misconfigurations
• labs/lab9/policies/k8s-security.rego — Rego policy enforcing K8s hardening (3 deny + 2 warn rules)
• labs/lab9/policies/compose-security.rego — Rego policy enforcing Compose security patterns
• labs/lab9/analysis/conftest-unhardened.txt — Conftest results: 3 failures, 2 warnings
• labs/lab9/analysis/conftest-hardened.txt — Conftest results: 7/7 pass, 0 failures
• labs/lab9/analysis/conftest-compose.txt — Conftest results: 1 failure, 1 warning
• labs/submission9.md — full analysis and evidence write-up

Testing

• Started Falco 0.43.0 with modern eBPF on WSL2 kernel 5.15.167.4-microsoft-standard-WSL2
• Triggered Terminal shell in container alert (Notice) via docker exec -it lab9-helper /bin/sh -lc 'echo hello-from-shell'
• Triggered Write Binary Under UsrLocalBin alert (Warning) via echo boom > /usr/local/bin/drift.txt — captured full JSON with FD_UPPER_LAYER flag
• Validated custom rule firing again via echo custom-test > /usr/local/bin/custom-rule.txt
• Ran falcosecurity/event-generator run syscall — Falco produced 20 alerts across 18 built-in rules including 3 Critical (fileless memfd execution, release_agent container escape, dropped binary execution)
• Ran Conftest against all three manifests using openpolicyagent/conftest:latest with OPA v1 Rego syntax
• Verified unhardened manifest fails (3 FAIL, 2 WARN) and hardened manifest passes (7/7)

Artifacts & Screenshots

Falco Alert 1 — Terminal shell in container (Notice):

2026-03-20T01:47:06Z: Notice A shell was spawned in a container with an attached terminal
rule=Terminal shell in container | container=lab9-helper | user=root | command=sh -lc echo hello-from-shell

Falco Alert 2 — Drift write to /usr/local/bin (Warning):

2026-03-20T07:07:04Z: Warning Falco Custom: File write in /usr/local/bin
rule=Write Binary Under UsrLocalBin | container=lab9-helper | file=/usr/local/bin/drift.txt | flags=O_CREAT|O_WRONLY|FD_UPPER_LAYER

Event generator — 3 Critical alerts (selected):

2026-03-20T07:07:40Z: Critical  Fileless execution via memfd_create        | proc_exepath=memfd:program
2026-03-20T07:07:41Z: Critical  Detect release_agent File Container Escapes | file=/release_agent
2026-03-20T07:07:41Z: Critical  Drop and execute new binary in container    | exe_flags=EXE_UPPER_LAYER

Conftest summary:

juice-unhardened.yaml — 7 tests, 2 passed, 2 warnings, 3 failures
juice-hardened.yaml   — 7 tests, 7 passed, 0 warnings, 0 failures
juice-compose.yml     — 7 tests, 5 passed, 1 warning,  1 failure

---

Checklist

• PR title is clear and descriptive
• Documentation updated if needed
• No secrets or large temporary files committed