detecting-container-escape-with-falco-rules

使用 Falco 运行时安全规则实时检测容器逃逸尝试,监控系统调用、文件访问和权限提升。

9 stars

Best use case

detecting-container-escape-with-falco-rules is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用 Falco 运行时安全规则实时检测容器逃逸尝试,监控系统调用、文件访问和权限提升。

Teams using detecting-container-escape-with-falco-rules should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/detecting-container-escape-with-falco-rules/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/detecting-container-escape-with-falco-rules/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/detecting-container-escape-with-falco-rules/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How detecting-container-escape-with-falco-rules Compares

Feature / Agentdetecting-container-escape-with-falco-rulesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用 Falco 运行时安全规则实时检测容器逃逸尝试,监控系统调用、文件访问和权限提升。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Falco 规则检测容器逃逸

## 概述

Falco 是一个 CNCF 毕业的运行时安全工具,通过监控 Linux 系统调用来检测异常的容器行为。它使用规则引擎来识别容器逃逸技术,例如挂载主机文件系统、访问敏感主机路径、加载内核模块以及利用特权容器能力。

## 前提条件

- 内核 5.8+(用于 eBPF 驱动)或支持内核模块的 Linux 主机
- Kubernetes 集群(v1.24+)或独立的 Docker/containerd
- 用于 Kubernetes 部署的 Helm 3
- 驱动安装需要 Root 或特权访问

## 安装 Falco

### 使用 Helm 部署到 Kubernetes

```bash
# 添加 Falco Helm chart
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

# 使用 eBPF 驱动安装 Falco
helm install falco falcosecurity/falco \
  --namespace falco --create-namespace \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set driver.kind=ebpf \
  --set collectors.containerd.enabled=true \
  --set collectors.containerd.socket=/run/containerd/containerd.sock

# 验证
kubectl get pods -n falco
kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=20
```

### 独立安装(Debian/Ubuntu)

```bash
# 添加 Falco GPG 密钥和仓库
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
  sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | \
  sudo tee /etc/apt/sources.list.d/falcosecurity.list

sudo apt-get update
sudo apt-get install -y falco

# 启动 Falco
sudo systemctl enable falco
sudo systemctl start falco
```

## 容器逃逸检测规则

### 规则 1:检测来自容器的主机挂载

```yaml
- rule: Container Mounting Host Filesystem
  desc: 检测容器尝试挂载主机文件系统
  condition: >
    spawned_process and container and
    proc.name = mount and
    (proc.args contains "/host" or proc.args contains "nsenter")
  output: >
    容器正在挂载主机文件系统
    (user=%user.name container_id=%container.id container_name=%container.name
     image=%container.image.repository command=%proc.cmdline %evt.args)
  priority: CRITICAL
  tags: [container, escape, T1611]
```

### 规则 2:检测 nsenter 使用(命名空间逃逸)

```yaml
- rule: Nsenter Execution in Container
  desc: 检测使用 nsenter 逃逸容器命名空间
  condition: >
    spawned_process and container and proc.name = nsenter
  output: >
    容器中执行了 nsenter - 潜在的逃逸尝试
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline parent=%proc.pname)
  priority: CRITICAL
  tags: [container, escape, namespace, T1611]
```

### 规则 3:检测特权容器启动

```yaml
- rule: Launch Privileged Container
  desc: 检测特权容器被启动
  condition: >
    container_started and container and container.privileged=true
  output: >
    已启动特权容器
    (user=%user.name container_id=%container.id container_name=%container.name
     image=%container.image.repository)
  priority: WARNING
  tags: [container, privileged, T1610]
```

### 规则 4:检测写入 /proc/sysrq-trigger

```yaml
- rule: Write to Sysrq Trigger
  desc: 检测写入 /proc/sysrq-trigger,这可能使主机崩溃或被控制
  condition: >
    open_write and container and fd.name = /proc/sysrq-trigger
  output: >
    从容器写入 /proc/sysrq-trigger
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, host-manipulation]
```

### 规则 5:检测从容器加载内核模块

```yaml
- rule: Container Loading Kernel Module
  desc: 检测容器尝试加载内核模块
  condition: >
    spawned_process and container and
    (proc.name in (insmod, modprobe) or
     (proc.name = init_module))
  output: >
    从容器加载内核模块
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, kernel, T1611]
```

### 规则 6:检测通过 cgroups 的容器突破

```yaml
- rule: Write to Cgroup Release Agent
  desc: 检测写入 cgroup release_agent,这是已知的容器逃逸向量
  condition: >
    open_write and container and
    fd.name endswith release_agent
  output: >
    容器写入 cgroup release_agent - 逃逸尝试
    (user=%user.name container_id=%container.id image=%container.image.repository
     file=%fd.name command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, cgroup, CVE-2022-0492]
```

### 规则 7:检测访问主机 /etc/shadow

```yaml
- rule: Container Reading Host Shadow File
  desc: 检测容器通过挂载卷读取主机上的 /etc/shadow
  condition: >
    open_read and container and
    (fd.name = /etc/shadow or fd.name startswith /host/etc/shadow)
  output: >
    容器正在读取主机 shadow 文件
    (user=%user.name container_id=%container.id image=%container.image.repository
     file=%fd.name command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, credential-access, T1003]
```

### 规则 8:检测 Docker Socket 访问

```yaml
- rule: Container Accessing Docker Socket
  desc: 检测容器访问 Docker socket,这允许控制主机
  condition: >
    (open_read or open_write) and container and
    fd.name = /var/run/docker.sock
  output: >
    容器正在访问 Docker socket
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, docker-socket, T1610]
```

## 完整的自定义规则文件

```yaml
# /etc/falco/rules.d/container-escape.yaml
- list: escape_binaries
  items: [nsenter, chroot, unshare, mount, umount, pivot_root]

- macro: container_escape_attempt
  condition: >
    spawned_process and container and
    proc.name in (escape_binaries)

- rule: Container Escape Binary Execution
  desc: 检测执行通常用于容器逃逸的二进制文件
  condition: container_escape_attempt
  output: >
    容器中执行了逃逸相关二进制文件
    (user=%user.name container=%container.name image=%container.image.repository
     command=%proc.cmdline parent=%proc.pname pid=%proc.pid)
  priority: CRITICAL
  tags: [container, escape, mitre_T1611]

- rule: Sensitive File Access from Container
  desc: 检测容器访问敏感主机文件
  condition: >
    (open_read or open_write) and container and
    (fd.name startswith /proc/1/ or
     fd.name = /etc/shadow or
     fd.name = /etc/kubernetes/admin.conf or
     fd.name startswith /var/lib/kubelet/)
  output: >
    从容器访问了敏感文件
    (container=%container.name image=%container.image.repository
     file=%fd.name command=%proc.cmdline user=%user.name)
  priority: CRITICAL
  tags: [container, sensitive-file, mitre_T1005]
```

## Falco 配置

```yaml
# /etc/falco/falco.yaml(关键设置)
rules_files:
  - /etc/falco/falco_rules.yaml
  - /etc/falco/rules.d/container-escape.yaml

json_output: true
json_include_output_property: true
json_include_tags_property: true

log_stderr: true
log_syslog: true
log_level: info

priority: WARNING

stdout_output:
  enabled: true

syslog_output:
  enabled: true

http_output:
  enabled: true
  url: http://falcosidekick:2801
  insecure: true

grpc:
  enabled: true
  bind_address: "unix:///run/falco/falco.sock"
  threadiness: 8

grpc_output:
  enabled: true
```

## 告警集成

### 通过 Falcosidekick 转发到 Slack

```yaml
# Falcosidekick values.yaml
config:
  slack:
    webhookurl: "https://hooks.slack.com/services/XXXXX"
    minimumpriority: "warning"
    messageformat: |
      *{{.Priority}}* - {{.Rule}}
      容器: {{.OutputFields.container_name}}
      镜像: {{.OutputFields.container_image_repository}}
      命令: {{.OutputFields.proc_cmdline}}
```

## 测试规则

```bash
# 模拟容器逃逸尝试(在测试容器中)
kubectl run test-escape --image=alpine --restart=Never -- sh -c "cat /etc/shadow"

# 模拟 nsenter
kubectl run test-nsenter --image=alpine --restart=Never --overrides='{"spec":{"hostPID":true}}' -- nsenter -t 1 -m -u -i -n -- cat /etc/hostname

# 检查 Falco 告警
kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50 | grep -i escape
```

## 最佳实践

1. **将 Falco 部署为 DaemonSet** 以确保所有节点都有覆盖
2. **使用 eBPF 驱动** 而非内核模块,操作更安全
3. **从默认规则开始**(maturity_stable),然后添加自定义规则
4. **通过 Falcosidekick 转发告警** 到 SIEM/SOAR
5. **用 MITRE ATT&CK** 技术 ID 标记规则以进行关联
6. **在宽松模式下测试规则**,再进行强制执行
7. **调整误报**,为已知的正常进程添加例外列表
8. **使用 Prometheus 指标端点监控 Falco 健康状态**

Related Skills

securing-container-registry-with-harbor

9
from killvxk/cybersecurity-skills-zh

Harbor 是一个开源容器镜像仓库,提供安全功能包括漏洞扫描(集成 Trivy)、镜像签名(Notary/Cosign)、RBAC、内容信任策略(Content Trust)、复制和审计日志。配置这些功能以强制执行镜像来源验证、防止有漏洞镜像部署并维护仓库访问控制。

securing-container-registry-images

9
from killvxk/cybersecurity-skills-zh

通过使用 Trivy 和 Grype 实施漏洞扫描、使用 Cosign 和 Sigstore 强制执行镜像签名、配置镜像仓库访问控制,以及构建阻止部署未扫描或未签名镜像的 CI/CD 流水线,来保护容器仓库(Container Registry)中的镜像安全。

scanning-containers-with-trivy-in-cicd

9
from killvxk/cybersecurity-skills-zh

本技能涵盖将 Aqua Security 的 Trivy 扫描器集成到 CI/CD 流水线中,用于全面的容器镜像漏洞检测。包括扫描 Docker 镜像中的操作系统包和应用依赖 CVE、检测 Dockerfile 中的错误配置、扫描文件系统和 Git 仓库,以及建立基于严重性的质量门禁以阻止有漏洞的镜像部署。

scanning-container-images-with-grype

9
from killvxk/cybersecurity-skills-zh

使用 Anchore Grype 扫描容器镜像的已知漏洞(Vulnerability),支持基于 SBOM 的匹配和可配置的严重性阈值。

performing-threat-hunting-with-yara-rules

9
from killvxk/cybersecurity-skills-zh

使用 YARA 模式匹配规则在文件系统和内存转储中狩猎恶意软件、可疑文件和入侵指标。 涵盖规则编写、yara-python 扫描以及与威胁情报源的集成。

performing-container-security-scanning-with-trivy

9
from killvxk/cybersecurity-skills-zh

使用 Aqua Security Trivy 扫描容器镜像、文件系统和 Kubernetes 清单,检测漏洞(Vulnerability)、错误配置、暴露的密钥和许可证合规问题,并生成 SBOM(Software Bill of Materials,软件物料清单)及集成到 CI/CD 流水线。

performing-container-image-hardening

9
from killvxk/cybersecurity-skills-zh

本技能涵盖通过最小化攻击面、移除不必要软件包、实施多阶段构建、配置非 root 用户, 以及应用 CIS Docker 基准建议来加固容器镜像,生成安全的生产就绪镜像。

performing-container-escape-detection

9
from killvxk/cybersecurity-skills-zh

通过分析命名空间配置、特权容器检查、危险能力分配和宿主机路径挂载,使用 kubernetes Python 客户端检测容器逃逸尝试。识别通过 cgroup 滥用的 CVE-2022-0492 类型逃逸。 适用于审计容器安全态势或调查逃逸尝试。

performing-cloud-native-forensics-with-falco

9
from killvxk/cybersecurity-skills-zh

使用 Falco YAML 规则在容器和 Kubernetes 中进行运行时威胁检测,监控系统调用以检测 shell 生成、文件篡改、网络异常和权限提升。通过 Falco gRPC API 管理 Falco 规则并解析 Falco 告警输出。适用于构建容器运行时安全或调查 k8s 集群入侵。

implementing-siem-correlation-rules-for-apt

9
from killvxk/cybersecurity-skills-zh

编写多事件关联规则,通过链接跨主机的 Windows 身份验证事件、进程执行遥测和网络连接日志, 检测高级持续性威胁(APT)的横向移动。使用 Splunk SPL 和 Sigma 规则格式, 在滑动时间窗口内关联事件 ID 4624、4648、4688 和 Sysmon 事件 1/3, 以发现单一事件检测无法识别的攻击序列。

implementing-semgrep-for-custom-sast-rules

9
from killvxk/cybersecurity-skills-zh

使用 YAML 编写自定义 Semgrep SAST 规则,以检测应用程序特定漏洞、执行编码标准并集成到 CI/CD 管道中。

implementing-gcp-vpc-firewall-rules

9
from killvxk/cybersecurity-skills-zh

实施和审计 GCP VPC 防火墙规则,强制执行网络分段,限制入站和出站流量,在整个组织范围内应用分层防火墙策略,并使用 VPC 流日志监控防火墙规则有效性。