Falco 云原生取证

v20260317

performing-cloud-native-forensics-with-falco

通过 Falco YAML 规则部署容器与 Kubernetes 的运行时威胁侦测，解析告警输出，快速捕捉 shell 启动、文件篡改、异常外联与权限提升等事件，协助集群攻防分析。

容器 Falco 取证运行时安全 Kubernetes 威胁侦测

获取技能

344 次下载

概览

Performing Cloud Native Forensics with Falco

Instructions

Deploy and manage Falco rules for runtime security detection in containerized environments. Parse Falco alerts for incident response.

# Custom Falco rule for detecting shell in container
- rule: Shell Spawned in Container
  desc: Detect shell process started in a container
  condition: >
    spawned_process and container
    and proc.name in (bash, sh, zsh, dash, csh)
    and not proc.pname in (docker-entrypo, supervisord)
  output: >
    Shell spawned in container
    (user=%user.name command=%proc.cmdline container=%container.name
     image=%container.image.repository)
  priority: WARNING
  tags: [container, shell, mitre_execution]

Key detection rules:

Shell spawn in non-interactive containers
Sensitive file access (/etc/shadow, /etc/passwd)
Outbound connections from unexpected containers
Privilege escalation via setuid/setgid
Container escape via mount or ptrace

Examples

# Run Falco with custom rules
falco -r /etc/falco/custom_rules.yaml -o json_output=true
# Parse JSON alerts
cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"

信息

Category 编程开发

Name performing-cloud-native-forensics-with-falco

版本 v20260317

大小 8.51KB

Source mukul975/Anthropic-Cybersecurity-Skills

更新时间 2026-03-18