detecting-container-escape-attempts

容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、敏感路径挂载和异常系统调用模式。

9 stars

Best use case

detecting-container-escape-attempts is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、敏感路径挂载和异常系统调用模式。

Teams using detecting-container-escape-attempts should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/detecting-container-escape-attempts/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/detecting-container-escape-attempts/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/detecting-container-escape-attempts/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How detecting-container-escape-attempts Compares

Feature / Agentdetecting-container-escape-attemptsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、敏感路径挂载和异常系统调用模式。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 检测容器逃逸尝试

## 概述

容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、挂载敏感路径和异常系统调用模式。

## 前提条件

- 内核 5.10+ 的 Linux 主机(支持 eBPF)
- Falco 0.37+ 已安装(内核模块或 eBPF 探针)
- Docker Engine 或 containerd 运行时
- auditd 已配置
- 加载 eBPF/内核模块需要 Root 访问权限

## 核心概念

### 常见容器逃逸向量

| 向量 | 技术 | MITRE ID |
|------|------|----------|
| 特权容器 | 挂载主机文件系统,加载内核模块 | T1611 |
| Docker socket 挂载 | 从内部创建特权容器 | T1610 |
| 内核漏洞利用 | CVE-2022-0185 (fsconfig), Dirty Pipe, runc CVEs | T1068 |
| 能力滥用 | CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_ADMIN | T1548 |
| 敏感挂载 | /proc/sysrq-trigger, /proc/kcore, cgroup release_agent | T1611 |
| 命名空间逃逸 | nsenter, unshare 到主机命名空间 | T1611 |
| 符号链接/绑定挂载 | 通过 /proc/self/root 逃逸 | T1611 |

### 检测层次

1. **系统调用监控** - eBPF/内核模块实时捕获系统调用
2. **文件完整性** - 检测对逃逸相关路径的修改
3. **进程监控** - 跟踪进程创建、命名空间变化
4. **网络监控** - 检测容器到主机的连接
5. **审计日志** - Linux auditd 用于能力和挂载操作

## 实施步骤

### 步骤 1:部署 Falco 进行运行时检测

```yaml
# Helm 部署的 falco-values.yaml
falco:
  driver:
    kind: ebpf   # 或 modern_ebpf(内核 5.8+)
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/rules.d
  json_output: true
  json_include_output_property: true
  http_output:
    enabled: true
    url: "http://falcosidekick:2801"
  grpc:
    enabled: true
  priority: warning
```

```bash
# 通过 Helm 安装 Falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
  --namespace falco-system --create-namespace \
  -f falco-values.yaml
```

### 步骤 2:自定义 Falco 逃逸检测规则

```yaml
# /etc/falco/rules.d/container_escape.yaml

# 检测通过特权容器的容器逃逸
- rule: Container Escape via Privileged Mode
  desc: 检测使用特权能力尝试逃逸容器
  condition: >
    spawned_process and container and
    (proc.name in (nsenter, unshare, mount, umount, modprobe, insmod) or
     (proc.name = chroot and proc.args contains "/host"))
  output: >
    通过特权操作尝试容器逃逸
    (user=%user.name container=%container.name image=%container.image.repository
     command=%proc.cmdline pid=%proc.pid %container.info)
  priority: CRITICAL
  tags: [container, escape, T1611]

# 检测从容器访问 Docker socket
- rule: Container Access to Docker Socket
  desc: 检测容器读/写 Docker socket
  condition: >
    (open_read or open_write) and container and
    fd.name = /var/run/docker.sock
  output: >
    从容器访问了 Docker socket
    (user=%user.name container=%container.name image=%container.image.repository
     fd=%fd.name command=%proc.cmdline %container.info)
  priority: CRITICAL
  tags: [container, escape, docker_socket]

# 检测对敏感 proc 文件系统的访问
- rule: Container Access to Sensitive Proc Paths
  desc: 检测容器访问主机敏感的 proc 路径
  condition: >
    open_read and container and
    (fd.name startswith /proc/sysrq-trigger or
     fd.name startswith /proc/kcore or
     fd.name startswith /proc/kmsg or
     fd.name startswith /proc/kallsyms or
     fd.name startswith /sys/kernel)
  output: >
    从容器访问了敏感的 proc/sys 路径
    (user=%user.name container=%container.name path=%fd.name
     command=%proc.cmdline %container.info)
  priority: CRITICAL
  tags: [container, escape, proc_access]

# 检测 cgroup 逃逸技术
- rule: Container Cgroup Escape Attempt
  desc: 检测写入 cgroup release_agent(逃逸技术)
  condition: >
    open_write and container and
    (fd.name contains release_agent or
     fd.name contains notify_on_release)
  output: >
    检测到 cgroup 逃逸尝试
    (user=%user.name container=%container.name path=%fd.name
     command=%proc.cmdline %container.info)
  priority: CRITICAL
  tags: [container, escape, cgroup]

# 检测从容器加载内核模块
- rule: Container Loading Kernel Module
  desc: 检测容器尝试加载内核模块
  condition: >
    spawned_process and container and
    (proc.name in (modprobe, insmod, rmmod) or
     (evt.type = init_module or evt.type = finit_module))
  output: >
    从容器尝试加载内核模块
    (user=%user.name container=%container.name command=%proc.cmdline
     %container.info)
  priority: CRITICAL
  tags: [container, escape, kernel_module]

# 检测命名空间操纵
- rule: Container Namespace Manipulation
  desc: 检测来自容器的 setns/unshare 系统调用
  condition: >
    container and (evt.type = setns or evt.type = unshare) and
    not proc.name in (containerd-shim, runc)
  output: >
    来自容器的命名空间操纵
    (user=%user.name container=%container.name syscall=%evt.type
     command=%proc.cmdline %container.info)
  priority: CRITICAL
  tags: [container, escape, namespace]

# 检测来自容器的挂载操作
- rule: Container Mount Sensitive Filesystem
  desc: 检测容器挂载主机文件系统
  condition: >
    spawned_process and container and proc.name = mount and
    (proc.args contains "/dev/" or proc.args contains "proc" or
     proc.args contains "sysfs")
  output: >
    来自容器的敏感挂载操作
    (user=%user.name container=%container.name command=%proc.cmdline
     %container.info)
  priority: HIGH
  tags: [container, escape, mount]
```

### 步骤 3:配置 Seccomp Profile 防止逃逸

```json
{
  "defaultAction": "SCMP_ACT_ERRNO",
  "archMap": [
    { "architecture": "SCMP_ARCH_X86_64", "subArchitectures": ["SCMP_ARCH_X86", "SCMP_ARCH_X32"] }
  ],
  "syscalls": [
    {
      "names": [
        "read", "write", "open", "close", "stat", "fstat", "lstat",
        "poll", "lseek", "mmap", "mprotect", "munmap", "brk",
        "rt_sigaction", "rt_sigprocmask", "ioctl", "access",
        "pipe", "select", "sched_yield", "dup", "dup2",
        "nanosleep", "getpid", "socket", "connect", "accept",
        "sendto", "recvfrom", "bind", "listen", "getsockname",
        "getpeername", "socketpair", "setsockopt", "getsockopt",
        "clone", "fork", "vfork", "execve", "exit", "wait4",
        "kill", "getuid", "getgid", "geteuid", "getegid",
        "epoll_create", "epoll_wait", "epoll_ctl", "epoll_create1",
        "futex", "set_tid_address", "set_robust_list",
        "openat", "newfstatat", "readlinkat", "fchownat",
        "clock_gettime", "clock_getres", "clock_nanosleep",
        "getrandom", "memfd_create", "statx", "rseq"
      ],
      "action": "SCMP_ACT_ALLOW"
    },
    {
      "names": ["unshare", "setns", "mount", "umount2", "pivot_root",
                "init_module", "finit_module", "delete_module",
                "kexec_load", "kexec_file_load", "ptrace",
                "reboot", "swapon", "swapoff", "sethostname",
                "setdomainname", "keyctl", "bpf"],
      "action": "SCMP_ACT_LOG",
      "comment": "记录逃逸相关系统调用用于检测"
    }
  ]
}
```

### 步骤 4:容器逃逸审计规则

```bash
# /etc/audit/rules.d/container-escape.rules

# 监控命名空间操作
-a always,exit -F arch=b64 -S setns -S unshare -k container_escape
-a always,exit -F arch=b64 -S mount -S umount2 -k container_mount
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_module
-a always,exit -F arch=b64 -S ptrace -k process_trace

# 监控敏感路径
-w /var/run/docker.sock -p rwxa -k docker_socket
-w /proc/sysrq-trigger -p w -k sysrq
-w /proc/kcore -p r -k kcore_read

# 监控容器运行时
-w /usr/bin/runc -p x -k container_runtime
-w /usr/bin/containerd -p x -k container_runtime
-w /usr/bin/docker -p x -k container_runtime
```

### 步骤 5:实时告警流水线

```yaml
# 用于告警路由的 Falcosidekick 配置
config:
  slack:
    webhookurl: "https://hooks.slack.com/services/xxx"
    minimumpriority: "critical"
    messageformat: |
      *容器逃逸告警*
      规则: {{ .Rule }}
      优先级: {{ .Priority }}
      输出: {{ .Output }}

  elasticsearch:
    hostport: "https://elasticsearch:9200"
    index: "falco-alerts"
    minimumpriority: "warning"

  pagerduty:
    routingkey: "xxxx"
    minimumpriority: "critical"
```

## 验证命令

```bash
# 使用事件生成器测试 Falco 规则
kubectl run falco-event-generator \
  --image=falcosecurity/event-generator \
  --restart=Never \
  -- run syscall --action PtraceAttachContainer

# 检查 Falco 告警
kubectl logs -n falco-system -l app.kubernetes.io/name=falco --tail=50

# 验证 seccomp profile 已加载
docker inspect --format '{{.HostConfig.SecurityOpt}}' <container-id>

# 检查审计日志中的逃逸相关事件
ausearch -k container_escape --interpret
```

## 参考资料

- [Falco 运行时安全](https://falco.org/docs/)
- [容器逃逸技术 - HackTricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation)
- [MITRE ATT&CK T1611 - 逃逸到主机](https://attack.mitre.org/techniques/T1611/)
- [Sysdig 容器安全](https://sysdig.com/products/secure/)

Related Skills

securing-container-registry-with-harbor

9
from killvxk/cybersecurity-skills-zh

Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略(Content Trust)、复制和审计日志。配置这些功能以强制执行镜像来源验证、防止有漏洞镜像部署并维护仓库访问控制。

securing-container-registry-images

9
from killvxk/cybersecurity-skills-zh

通过使用 Trivy 和 Grype 实施漏洞扫描、使用 Cosign 和 Sigstore 强制执行镜像签名、配置镜像仓库访问控制,以及构建阻止部署未扫描或未签名镜像的 CI/CD 流水线,来保护容器仓库(Container Registry)中的镜像安全。

scanning-containers-with-trivy-in-cicd

9
from killvxk/cybersecurity-skills-zh

本技能涵盖将 Aqua Security 的 Trivy 扫描器集成到 CI/CD 流水线中,用于全面的容器镜像漏洞检测。包括扫描 Docker 镜像中的操作系统包和应用依赖 CVE、检测 Dockerfile 中的错误配置、扫描文件系统和 Git 仓库,以及建立基于严重性的质量门禁以阻止有漏洞的镜像部署。

scanning-container-images-with-grype

9
from killvxk/cybersecurity-skills-zh

使用 Anchore Grype 扫描容器镜像的已知漏洞(Vulnerability),支持基于 SBOM 的匹配和可配置的严重性阈值。

performing-container-security-scanning-with-trivy

9
from killvxk/cybersecurity-skills-zh

使用 Aqua Security Trivy 扫描容器镜像、文件系统和 Kubernetes 清单,检测漏洞(Vulnerability)、错误配置、暴露的密钥和许可证合规问题,并生成 SBOM(Software Bill of Materials,软件物料清单)及集成到 CI/CD 流水线。

performing-container-image-hardening

9
from killvxk/cybersecurity-skills-zh

本技能涵盖通过最小化攻击面、移除不必要软件包、实施多阶段构建、配置非 root 用户, 以及应用 CIS Docker 基准建议来加固容器镜像,生成安全的生产就绪镜像。

performing-container-escape-detection

9
from killvxk/cybersecurity-skills-zh

通过分析命名空间配置、特权容器检查、危险能力分配和宿主机路径挂载,使用 kubernetes Python 客户端检测容器逃逸尝试。识别通过 cgroup 滥用的 CVE-2022-0492 类型逃逸。 适用于审计容器安全态势或调查逃逸尝试。

implementing-container-network-policies-with-calico

9
from killvxk/cybersecurity-skills-zh

使用 Calico CNI 网络策略和全局网络策略实施 Kubernetes 网络分段,控制 Pod 间流量、限制出口流量并实现零信任微分段。

implementing-container-image-minimal-base-with-distroless

9
from killvxk/cybersecurity-skills-zh

通过在 Google distroless 基础镜像上构建应用镜像来减少容器攻击面,这些镜像仅包含应用运行时,没有 shell、包管理器或不必要的 OS 工具。

implementing-aqua-security-for-container-scanning

9
from killvxk/cybersecurity-skills-zh

部署 Aqua Security 的 Trivy 扫描器,在 CI/CD 管道和镜像仓库中检测容器镜像的漏洞、配置错误、敏感信息和许可证问题。

hardening-docker-containers-for-production

9
from killvxk/cybersecurity-skills-zh

对生产环境 Docker 容器进行安全加固,涵盖符合 CIS Docker Benchmark v1.8.0 的安全最佳实践,旨在最小化攻击面、防止权限提升,并在 Docker daemon、镜像、容器和运行时配置中强制执行最小权限原则

detecting-wmi-persistence

9
from killvxk/cybersecurity-skills-zh

通过分析 Sysmon 事件 ID 19、20 和 21 中的恶意 EventFilter、EventConsumer 和 FilterToConsumerBinding 创建,检测 WMI 事件订阅持久化。