Detects runtime threats in containers and Kubernetes using Falco YAML rules, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalations. Manages rules via gRPC API and parses alerts.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
在容器化环境中部署和管理 Falco 规则,用于运行时安全检测。解析 Falco 告警以进行事件响应。
Deploys and manages Falco YAML rules via gRPC API for runtime threat detection in Kubernetes and containers, monitoring syscalls for shell spawns, file tampering, and privilege escalations. Parses alerts for forensics.
Deploys and manages Falco YAML rules for runtime threat detection in Kubernetes and containers via syscalls, parses alerts with gRPC API and Python for forensics and incident response.
Detects container escape attempts using Falco runtime security rules in Kubernetes or Docker, monitoring syscalls, host filesystem mounts, nsenter, and privileged containers.
Share bugs, ideas, or general feedback.
在容器化环境中部署和管理 Falco 规则,用于运行时安全检测。解析 Falco 告警以进行事件响应。
# 检测容器中 shell 的自定义 Falco 规则
- rule: Shell Spawned in Container
desc: 检测在容器中启动 shell 进程
condition: >
spawned_process and container
and proc.name in (bash, sh, zsh, dash, csh)
and not proc.pname in (docker-entrypo, supervisord)
output: >
容器中生成 shell
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
关键检测规则:
# 使用自定义规则运行 Falco
falco -r /etc/falco/custom_rules.yaml -o json_output=true
# 解析 JSON 告警
cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"