Harden a Linux Container Runtime Against Privilege Escalation
Overview
What this challenge is about.
Receive the pen-test report (with attack chain), the current cluster config (EKS 1.29, default Amazon Linux 2023 worker nodes), and 3 representative workload classes (web API, async worker, batch job). Baseline the current OS posture using Trivy + kube-bench + a custom OSCAP scan. Harden the workers: tighten sysctls (kernel.kptr_restrict, net.ipv4.* hardening), drop capabilities by workload class, write per-class AppArmor profiles, mount /proc with hidepid=2. Deploy Falco with a custom rule set targeting the pen-test attack pattern + 6 additional MITRE ATT&CK techniques. Replay the pen-test chain and prove it now fails. Deliver the hardening Ansible playbooks, the AppArmor profiles, the Falco ruleset, the attack-replay validation report, and an 8-page operations runbook.
The Brief
What you'll do, and what you'll demonstrate.
Re-baseline and harden a Kubernetes worker-node OS posture, deploy runtime detection, and prove the documented attack chain is now blocked.
Earning criteria — what you'll demonstrate
- Baseline OS posture with kube-bench, Trivy, and OSCAP
- Write workload-class AppArmor profiles that don't break the app
- Deploy runtime detection (Falco) with high-signal rules
- Validate hardening against a known attack chain end-to-end
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.