detecting-container-escape-attempts
容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、敏感路径挂载和异常系统调用模式。
Best use case
detecting-container-escape-attempts is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、敏感路径挂载和异常系统调用模式。
Teams using detecting-container-escape-attempts should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-container-escape-attempts/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-container-escape-attempts Compares
| Feature / Agent | detecting-container-escape-attempts | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、敏感路径挂载和异常系统调用模式。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 检测容器逃逸尝试
## 概述
容器逃逸是一种严重攻击技术,攻击者突破容器隔离以访问主机系统或其他容器。检测涉及使用 Falco、Sysdig 和自定义 seccomp/审计规则监控逃逸指标,包括命名空间操纵、能力滥用、内核漏洞利用、挂载敏感路径和异常系统调用模式。
## 前提条件
- 内核 5.10+ 的 Linux 主机(支持 eBPF)
- Falco 0.37+ 已安装(内核模块或 eBPF 探针)
- Docker Engine 或 containerd 运行时
- auditd 已配置
- 加载 eBPF/内核模块需要 Root 访问权限
## 核心概念
### 常见容器逃逸向量
| 向量 | 技术 | MITRE ID |
|------|------|----------|
| 特权容器 | 挂载主机文件系统,加载内核模块 | T1611 |
| Docker socket 挂载 | 从内部创建特权容器 | T1610 |
| 内核漏洞利用 | CVE-2022-0185 (fsconfig), Dirty Pipe, runc CVEs | T1068 |
| 能力滥用 | CAP_SYS_ADMIN, CAP_SYS_PTRACE, CAP_NET_ADMIN | T1548 |
| 敏感挂载 | /proc/sysrq-trigger, /proc/kcore, cgroup release_agent | T1611 |
| 命名空间逃逸 | nsenter, unshare 到主机命名空间 | T1611 |
| 符号链接/绑定挂载 | 通过 /proc/self/root 逃逸 | T1611 |
### 检测层次
1. **系统调用监控** - eBPF/内核模块实时捕获系统调用
2. **文件完整性** - 检测对逃逸相关路径的修改
3. **进程监控** - 跟踪进程创建、命名空间变化
4. **网络监控** - 检测容器到主机的连接
5. **审计日志** - Linux auditd 用于能力和挂载操作
## 实施步骤
### 步骤 1:部署 Falco 进行运行时检测
```yaml
# Helm 部署的 falco-values.yaml
falco:
driver:
kind: ebpf # 或 modern_ebpf(内核 5.8+)
rules_files:
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
- /etc/falco/rules.d
json_output: true
json_include_output_property: true
http_output:
enabled: true
url: "http://falcosidekick:2801"
grpc:
enabled: true
priority: warning
```
```bash
# 通过 Helm 安装 Falco
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
--namespace falco-system --create-namespace \
-f falco-values.yaml
```
### 步骤 2:自定义 Falco 逃逸检测规则
```yaml
# /etc/falco/rules.d/container_escape.yaml
# 检测通过特权容器的容器逃逸
- rule: Container Escape via Privileged Mode
desc: 检测使用特权能力尝试逃逸容器
condition: >
spawned_process and container and
(proc.name in (nsenter, unshare, mount, umount, modprobe, insmod) or
(proc.name = chroot and proc.args contains "/host"))
output: >
通过特权操作尝试容器逃逸
(user=%user.name container=%container.name image=%container.image.repository
command=%proc.cmdline pid=%proc.pid %container.info)
priority: CRITICAL
tags: [container, escape, T1611]
# 检测从容器访问 Docker socket
- rule: Container Access to Docker Socket
desc: 检测容器读/写 Docker socket
condition: >
(open_read or open_write) and container and
fd.name = /var/run/docker.sock
output: >
从容器访问了 Docker socket
(user=%user.name container=%container.name image=%container.image.repository
fd=%fd.name command=%proc.cmdline %container.info)
priority: CRITICAL
tags: [container, escape, docker_socket]
# 检测对敏感 proc 文件系统的访问
- rule: Container Access to Sensitive Proc Paths
desc: 检测容器访问主机敏感的 proc 路径
condition: >
open_read and container and
(fd.name startswith /proc/sysrq-trigger or
fd.name startswith /proc/kcore or
fd.name startswith /proc/kmsg or
fd.name startswith /proc/kallsyms or
fd.name startswith /sys/kernel)
output: >
从容器访问了敏感的 proc/sys 路径
(user=%user.name container=%container.name path=%fd.name
command=%proc.cmdline %container.info)
priority: CRITICAL
tags: [container, escape, proc_access]
# 检测 cgroup 逃逸技术
- rule: Container Cgroup Escape Attempt
desc: 检测写入 cgroup release_agent(逃逸技术)
condition: >
open_write and container and
(fd.name contains release_agent or
fd.name contains notify_on_release)
output: >
检测到 cgroup 逃逸尝试
(user=%user.name container=%container.name path=%fd.name
command=%proc.cmdline %container.info)
priority: CRITICAL
tags: [container, escape, cgroup]
# 检测从容器加载内核模块
- rule: Container Loading Kernel Module
desc: 检测容器尝试加载内核模块
condition: >
spawned_process and container and
(proc.name in (modprobe, insmod, rmmod) or
(evt.type = init_module or evt.type = finit_module))
output: >
从容器尝试加载内核模块
(user=%user.name container=%container.name command=%proc.cmdline
%container.info)
priority: CRITICAL
tags: [container, escape, kernel_module]
# 检测命名空间操纵
- rule: Container Namespace Manipulation
desc: 检测来自容器的 setns/unshare 系统调用
condition: >
container and (evt.type = setns or evt.type = unshare) and
not proc.name in (containerd-shim, runc)
output: >
来自容器的命名空间操纵
(user=%user.name container=%container.name syscall=%evt.type
command=%proc.cmdline %container.info)
priority: CRITICAL
tags: [container, escape, namespace]
# 检测来自容器的挂载操作
- rule: Container Mount Sensitive Filesystem
desc: 检测容器挂载主机文件系统
condition: >
spawned_process and container and proc.name = mount and
(proc.args contains "/dev/" or proc.args contains "proc" or
proc.args contains "sysfs")
output: >
来自容器的敏感挂载操作
(user=%user.name container=%container.name command=%proc.cmdline
%container.info)
priority: HIGH
tags: [container, escape, mount]
```
### 步骤 3:配置 Seccomp Profile 防止逃逸
```json
{
"defaultAction": "SCMP_ACT_ERRNO",
"archMap": [
{ "architecture": "SCMP_ARCH_X86_64", "subArchitectures": ["SCMP_ARCH_X86", "SCMP_ARCH_X32"] }
],
"syscalls": [
{
"names": [
"read", "write", "open", "close", "stat", "fstat", "lstat",
"poll", "lseek", "mmap", "mprotect", "munmap", "brk",
"rt_sigaction", "rt_sigprocmask", "ioctl", "access",
"pipe", "select", "sched_yield", "dup", "dup2",
"nanosleep", "getpid", "socket", "connect", "accept",
"sendto", "recvfrom", "bind", "listen", "getsockname",
"getpeername", "socketpair", "setsockopt", "getsockopt",
"clone", "fork", "vfork", "execve", "exit", "wait4",
"kill", "getuid", "getgid", "geteuid", "getegid",
"epoll_create", "epoll_wait", "epoll_ctl", "epoll_create1",
"futex", "set_tid_address", "set_robust_list",
"openat", "newfstatat", "readlinkat", "fchownat",
"clock_gettime", "clock_getres", "clock_nanosleep",
"getrandom", "memfd_create", "statx", "rseq"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": ["unshare", "setns", "mount", "umount2", "pivot_root",
"init_module", "finit_module", "delete_module",
"kexec_load", "kexec_file_load", "ptrace",
"reboot", "swapon", "swapoff", "sethostname",
"setdomainname", "keyctl", "bpf"],
"action": "SCMP_ACT_LOG",
"comment": "记录逃逸相关系统调用用于检测"
}
]
}
```
### 步骤 4:容器逃逸审计规则
```bash
# /etc/audit/rules.d/container-escape.rules
# 监控命名空间操作
-a always,exit -F arch=b64 -S setns -S unshare -k container_escape
-a always,exit -F arch=b64 -S mount -S umount2 -k container_mount
-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k kernel_module
-a always,exit -F arch=b64 -S ptrace -k process_trace
# 监控敏感路径
-w /var/run/docker.sock -p rwxa -k docker_socket
-w /proc/sysrq-trigger -p w -k sysrq
-w /proc/kcore -p r -k kcore_read
# 监控容器运行时
-w /usr/bin/runc -p x -k container_runtime
-w /usr/bin/containerd -p x -k container_runtime
-w /usr/bin/docker -p x -k container_runtime
```
### 步骤 5:实时告警流水线
```yaml
# 用于告警路由的 Falcosidekick 配置
config:
slack:
webhookurl: "https://hooks.slack.com/services/xxx"
minimumpriority: "critical"
messageformat: |
*容器逃逸告警*
规则: {{ .Rule }}
优先级: {{ .Priority }}
输出: {{ .Output }}
elasticsearch:
hostport: "https://elasticsearch:9200"
index: "falco-alerts"
minimumpriority: "warning"
pagerduty:
routingkey: "xxxx"
minimumpriority: "critical"
```
## 验证命令
```bash
# 使用事件生成器测试 Falco 规则
kubectl run falco-event-generator \
--image=falcosecurity/event-generator \
--restart=Never \
-- run syscall --action PtraceAttachContainer
# 检查 Falco 告警
kubectl logs -n falco-system -l app.kubernetes.io/name=falco --tail=50
# 验证 seccomp profile 已加载
docker inspect --format '{{.HostConfig.SecurityOpt}}' <container-id>
# 检查审计日志中的逃逸相关事件
ausearch -k container_escape --interpret
```
## 参考资料
- [Falco 运行时安全](https://falco.org/docs/)
- [容器逃逸技术 - HackTricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation)
- [MITRE ATT&CK T1611 - 逃逸到主机](https://attack.mitre.org/techniques/T1611/)
- [Sysdig 容器安全](https://sysdig.com/products/secure/)Related Skills
securing-container-registry-with-harbor
Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略(Content Trust)、复制和审计日志。配置这些功能以强制执行镜像来源验证、防止有漏洞镜像部署并维护仓库访问控制。
securing-container-registry-images
通过使用 Trivy 和 Grype 实施漏洞扫描、使用 Cosign 和 Sigstore 强制执行镜像签名、配置镜像仓库访问控制,以及构建阻止部署未扫描或未签名镜像的 CI/CD 流水线,来保护容器仓库(Container Registry)中的镜像安全。
scanning-containers-with-trivy-in-cicd
本技能涵盖将 Aqua Security 的 Trivy 扫描器集成到 CI/CD 流水线中,用于全面的容器镜像漏洞检测。包括扫描 Docker 镜像中的操作系统包和应用依赖 CVE、检测 Dockerfile 中的错误配置、扫描文件系统和 Git 仓库,以及建立基于严重性的质量门禁以阻止有漏洞的镜像部署。
scanning-container-images-with-grype
使用 Anchore Grype 扫描容器镜像的已知漏洞(Vulnerability),支持基于 SBOM 的匹配和可配置的严重性阈值。
performing-container-security-scanning-with-trivy
使用 Aqua Security Trivy 扫描容器镜像、文件系统和 Kubernetes 清单,检测漏洞(Vulnerability)、错误配置、暴露的密钥和许可证合规问题,并生成 SBOM(Software Bill of Materials,软件物料清单)及集成到 CI/CD 流水线。
performing-container-image-hardening
本技能涵盖通过最小化攻击面、移除不必要软件包、实施多阶段构建、配置非 root 用户, 以及应用 CIS Docker 基准建议来加固容器镜像,生成安全的生产就绪镜像。
performing-container-escape-detection
通过分析命名空间配置、特权容器检查、危险能力分配和宿主机路径挂载,使用 kubernetes Python 客户端检测容器逃逸尝试。识别通过 cgroup 滥用的 CVE-2022-0492 类型逃逸。 适用于审计容器安全态势或调查逃逸尝试。
implementing-container-network-policies-with-calico
使用 Calico CNI 网络策略和全局网络策略实施 Kubernetes 网络分段,控制 Pod 间流量、限制出口流量并实现零信任微分段。
implementing-container-image-minimal-base-with-distroless
通过在 Google distroless 基础镜像上构建应用镜像来减少容器攻击面,这些镜像仅包含应用运行时,没有 shell、包管理器或不必要的 OS 工具。
implementing-aqua-security-for-container-scanning
部署 Aqua Security 的 Trivy 扫描器,在 CI/CD 管道和镜像仓库中检测容器镜像的漏洞、配置错误、敏感信息和许可证问题。
hardening-docker-containers-for-production
对生产环境 Docker 容器进行安全加固,涵盖符合 CIS Docker Benchmark v1.8.0 的安全最佳实践,旨在最小化攻击面、防止权限提升,并在 Docker daemon、镜像、容器和运行时配置中强制执行最小权限原则
detecting-wmi-persistence
通过分析 Sysmon 事件 ID 19、20 和 21 中的恶意 EventFilter、EventConsumer 和 FilterToConsumerBinding 创建,检测 WMI 事件订阅持久化。