detecting-container-escape-with-falco-rules

使用 Falco 规则检测容器逃逸

概述

Falco 是一个 CNCF 毕业的运行时安全工具，通过监控 Linux 系统调用来检测异常的容器行为。它使用规则引擎来识别容器逃逸技术，例如挂载主机文件系统、访问敏感主机路径、加载内核模块以及利用特权容器能力。

前提条件

• 内核 5.8+（用于 eBPF 驱动）或支持内核模块的 Linux 主机
• Kubernetes 集群（v1.24+）或独立的 Docker/containerd
• 用于 Kubernetes 部署的 Helm 3
• 驱动安装需要 Root 或特权访问

安装 Falco

使用 Helm 部署到 Kubernetes

# 添加 Falco Helm chart
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

# 使用 eBPF 驱动安装 Falco
helm install falco falcosecurity/falco \
  --namespace falco --create-namespace \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set driver.kind=ebpf \
  --set collectors.containerd.enabled=true \
  --set collectors.containerd.socket=/run/containerd/containerd.sock

# 验证
kubectl get pods -n falco
kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=20

独立安装（Debian/Ubuntu）

# 添加 Falco GPG 密钥和仓库
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
  sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg

echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | \
  sudo tee /etc/apt/sources.list.d/falcosecurity.list

sudo apt-get update
sudo apt-get install -y falco

# 启动 Falco
sudo systemctl enable falco
sudo systemctl start falco

容器逃逸检测规则

规则 1：检测来自容器的主机挂载

- rule: Container Mounting Host Filesystem
  desc: 检测容器尝试挂载主机文件系统
  condition: >
    spawned_process and container and
    proc.name = mount and
    (proc.args contains "/host" or proc.args contains "nsenter")
  output: >
    容器正在挂载主机文件系统
    (user=%user.name container_id=%container.id container_name=%container.name
     image=%container.image.repository command=%proc.cmdline %evt.args)
  priority: CRITICAL
  tags: [container, escape, T1611]

规则 2：检测 nsenter 使用（命名空间逃逸）

- rule: Nsenter Execution in Container
  desc: 检测使用 nsenter 逃逸容器命名空间
  condition: >
    spawned_process and container and proc.name = nsenter
  output: >
    容器中执行了 nsenter - 潜在的逃逸尝试
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline parent=%proc.pname)
  priority: CRITICAL
  tags: [container, escape, namespace, T1611]

规则 3：检测特权容器启动

- rule: Launch Privileged Container
  desc: 检测特权容器被启动
  condition: >
    container_started and container and container.privileged=true
  output: >
    已启动特权容器
    (user=%user.name container_id=%container.id container_name=%container.name
     image=%container.image.repository)
  priority: WARNING
  tags: [container, privileged, T1610]

规则 4：检测写入 /proc/sysrq-trigger

- rule: Write to Sysrq Trigger
  desc: 检测写入 /proc/sysrq-trigger，这可能使主机崩溃或被控制
  condition: >
    open_write and container and fd.name = /proc/sysrq-trigger
  output: >
    从容器写入 /proc/sysrq-trigger
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, host-manipulation]

规则 5：检测从容器加载内核模块

- rule: Container Loading Kernel Module
  desc: 检测容器尝试加载内核模块
  condition: >
    spawned_process and container and
    (proc.name in (insmod, modprobe) or
     (proc.name = init_module))
  output: >
    从容器加载内核模块
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, kernel, T1611]

规则 6：检测通过 cgroups 的容器突破

- rule: Write to Cgroup Release Agent
  desc: 检测写入 cgroup release_agent，这是已知的容器逃逸向量
  condition: >
    open_write and container and
    fd.name endswith release_agent
  output: >
    容器写入 cgroup release_agent - 逃逸尝试
    (user=%user.name container_id=%container.id image=%container.image.repository
     file=%fd.name command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, cgroup, CVE-2022-0492]

规则 7：检测访问主机 /etc/shadow

- rule: Container Reading Host Shadow File
  desc: 检测容器通过挂载卷读取主机上的 /etc/shadow
  condition: >
    open_read and container and
    (fd.name = /etc/shadow or fd.name startswith /host/etc/shadow)
  output: >
    容器正在读取主机 shadow 文件
    (user=%user.name container_id=%container.id image=%container.image.repository
     file=%fd.name command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, credential-access, T1003]

规则 8：检测 Docker Socket 访问

- rule: Container Accessing Docker Socket
  desc: 检测容器访问 Docker socket，这允许控制主机
  condition: >
    (open_read or open_write) and container and
    fd.name = /var/run/docker.sock
  output: >
    容器正在访问 Docker socket
    (user=%user.name container_id=%container.id image=%container.image.repository
     command=%proc.cmdline)
  priority: CRITICAL
  tags: [container, escape, docker-socket, T1610]

完整的自定义规则文件

# /etc/falco/rules.d/container-escape.yaml
- list: escape_binaries
  items: [nsenter, chroot, unshare, mount, umount, pivot_root]

- macro: container_escape_attempt
  condition: >
    spawned_process and container and
    proc.name in (escape_binaries)

- rule: Container Escape Binary Execution
  desc: 检测执行通常用于容器逃逸的二进制文件
  condition: container_escape_attempt
  output: >
    容器中执行了逃逸相关二进制文件
    (user=%user.name container=%container.name image=%container.image.repository
     command=%proc.cmdline parent=%proc.pname pid=%proc.pid)
  priority: CRITICAL
  tags: [container, escape, mitre_T1611]

- rule: Sensitive File Access from Container
  desc: 检测容器访问敏感主机文件
  condition: >
    (open_read or open_write) and container and
    (fd.name startswith /proc/1/ or
     fd.name = /etc/shadow or
     fd.name = /etc/kubernetes/admin.conf or
     fd.name startswith /var/lib/kubelet/)
  output: >
    从容器访问了敏感文件
    (container=%container.name image=%container.image.repository
     file=%fd.name command=%proc.cmdline user=%user.name)
  priority: CRITICAL
  tags: [container, sensitive-file, mitre_T1005]

Falco 配置

# /etc/falco/falco.yaml（关键设置）
rules_files:
  - /etc/falco/falco_rules.yaml
  - /etc/falco/rules.d/container-escape.yaml

json_output: true
json_include_output_property: true
json_include_tags_property: true

log_stderr: true
log_syslog: true
log_level: info

priority: WARNING

stdout_output:
  enabled: true

syslog_output:
  enabled: true

http_output:
  enabled: true
  url: http://falcosidekick:2801
  insecure: true

grpc:
  enabled: true
  bind_address: "unix:///run/falco/falco.sock"
  threadiness: 8

grpc_output:
  enabled: true

告警集成

通过 Falcosidekick 转发到 Slack

# Falcosidekick values.yaml
config:
  slack:
    webhookurl: "https://hooks.slack.com/services/XXXXX"
    minimumpriority: "warning"
    messageformat: |
      *{{.Priority}}* - {{.Rule}}
      容器: {{.OutputFields.container_name}}
      镜像: {{.OutputFields.container_image_repository}}
      命令: {{.OutputFields.proc_cmdline}}

测试规则

# 模拟容器逃逸尝试（在测试容器中）
kubectl run test-escape --image=alpine --restart=Never -- sh -c "cat /etc/shadow"

# 模拟 nsenter
kubectl run test-nsenter --image=alpine --restart=Never --overrides='{"spec":{"hostPID":true}}' -- nsenter -t 1 -m -u -i -n -- cat /etc/hostname

# 检查 Falco 告警
kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50 | grep -i escape

最佳实践

1. 将 Falco 部署为 DaemonSet 以确保所有节点都有覆盖
2. 使用 eBPF 驱动 而非内核模块，操作更安全
3. 从默认规则开始（maturity_stable），然后添加自定义规则
4. 通过 Falcosidekick 转发告警 到 SIEM/SOAR
5. 用 MITRE ATT&CK 技术 ID 标记规则以进行关联
6. 在宽松模式下测试规则，再进行强制执行
7. 调整误报，为已知的正常进程添加例外列表
8. 使用 Prometheus 指标端点监控 Falco 健康状态