docs: add lab9 — falco runtime + conftest policies

[ph1larmon1a]

Goal

Enhance the project’s runtime and deployment security posture by introducing Falco-based runtime detection and Conftest policy-as-code validation.
This update delivers continuous behavioral monitoring for container workloads and ensures Kubernetes/Compose manifests meet hardened baselines, aligning the environment with modern container compliance practices

---

Changes

• Deployed Falco with modern eBPF and captured real-time container alerts.

• Triggered baseline detection (Terminal shell in container) and implemented a custom Falco rule Write Binary Under UsrLocalBin to detect image drift through writes in /usr/local/bin.

• Validated Falco alerting by running the Falco event-generator, confirming detection of critical events (fileless execution, release agent container escape, etc.).

• Added the custom rule to labs/lab9/falco/rules/custom-rules.yaml with tuning notes and evidence screenshots referenced in submission9.md.

• Executed Conftest (OPA/Rego) policies against:

  • Unhardened K8s manifest: produced 8 failures + 2 warnings (missing resources, probes, privilege controls).
  • Hardened manifest: all 30 tests passed (non-root, read-only FS, dropped caps, resource limits, probes).
  • Docker Compose manifest: all 15 tests passed (read-only filesystem, tmpfs, no-new-privileges, non-root user).

• Documented comprehensive findings, evidence tables, and mitigation reasoning in labs/submission9.md.

---

Testing

Manual validation performed as part of the lab workflow:

• Falco runtime test

  • Verified baseline shell alert triggered correctly.
  • Verified custom rule alerts on /usr/local/bin/drift.txt and custom-rule.txt.
  • Confirmed event-generator raised multiple critical and warning detections.

• Policy-as-code test

  • Ran Conftest tests on all manifests; matched expected fail→pass results.
  • Reviewed hardening changes and confirmed they satisfy enforced Rego policies.

• Steps to reproduce and screenshots/logs are detailed in labs/submission9.md and supporting analysis files.

---

Artifacts & Screenshots

• Falco custom rule: labs/lab9/falco/rules/custom-rules.yaml

• Submission report: labs/submission9.md — includes Falco evidence, rule source, and Conftest analysis.

• Falco log: labs/lab9/falco/logs/falco.log — baseline and custom alerts + event-generator detections.

• Conftest results:

  • labs/lab9/analysis/conftest-unhardened.txt — 20 passed / 2 warn / 8 fail
  • labs/lab9/analysis/conftest-hardened.txt — 30 passed / 0 fail
  • labs/lab9/analysis/conftest-compose.txt — 15 passed / 0 fail

• Manifests for reference:

  • K8s unhardened → labs/lab9/manifests/k8s/juice-unhardened.yaml
  • K8s hardened → labs/lab9/manifests/k8s/juice-hardened.yaml
  • Compose → labs/lab9/manifests/compose/juice-compose.yml

---

Checklist

• PR has a clear and descriptive title
• Documentation updated if needed
• No secrets or large temporary files committed
• Task 1 — Falco runtime detection (alerts + custom rule)
• Task 2 — Conftest policies (fail→pass hardening)