| name | detecting-container-escape-with-falco-rules |
| description | 使用 Falco 运行时安全规则实时检测容器逃逸尝试,监控系统调用、文件访问和权限提升。 |
| domain | cybersecurity |
| subdomain | container-security |
| tags | ["falco","container-escape","runtime-security","syscall-monitoring","kubernetes","detection"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
使用 Falco 规则检测容器逃逸
概述
Falco 是一个 CNCF 毕业的运行时安全工具,通过监控 Linux 系统调用来检测异常的容器行为。它使用规则引擎来识别容器逃逸技术,例如挂载主机文件系统、访问敏感主机路径、加载内核模块以及利用特权容器能力。
前提条件
- 内核 5.8+(用于 eBPF 驱动)或支持内核模块的 Linux 主机
- Kubernetes 集群(v1.24+)或独立的 Docker/containerd
- 用于 Kubernetes 部署的 Helm 3
- 驱动安装需要 Root 或特权访问
安装 Falco
使用 Helm 部署到 Kubernetes
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
--namespace falco --create-namespace \
--set falcosidekick.enabled=true \
--set falcosidekick.webui.enabled=true \
--set driver.kind=ebpf \
--set collectors.containerd.enabled=true \
--set collectors.containerd.socket=/run/containerd/containerd.sock
kubectl get pods -n falco
kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=20
独立安装(Debian/Ubuntu)
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | \
sudo tee /etc/apt/sources.list.d/falcosecurity.list
sudo apt-get update
sudo apt-get install -y falco
sudo systemctl enable falco
sudo systemctl start falco
容器逃逸检测规则
规则 1:检测来自容器的主机挂载
- rule: Container Mounting Host Filesystem
desc: 检测容器尝试挂载主机文件系统
condition: >
spawned_process and container and
proc.name = mount and
(proc.args contains "/host" or proc.args contains "nsenter")
output: >
容器正在挂载主机文件系统
(user=%user.name container_id=%container.id container_name=%container.name
image=%container.image.repository command=%proc.cmdline %evt.args)
priority: CRITICAL
tags: [container, escape, T1611]
规则 2:检测 nsenter 使用(命名空间逃逸)
- rule: Nsenter Execution in Container
desc: 检测使用 nsenter 逃逸容器命名空间
condition: >
spawned_process and container and proc.name = nsenter
output: >
容器中执行了 nsenter - 潜在的逃逸尝试
(user=%user.name container_id=%container.id image=%container.image.repository
command=%proc.cmdline parent=%proc.pname)
priority: CRITICAL
tags: [container, escape, namespace, T1611]
规则 3:检测特权容器启动
- rule: Launch Privileged Container
desc: 检测特权容器被启动
condition: >
container_started and container and container.privileged=true
output: >
已启动特权容器
(user=%user.name container_id=%container.id container_name=%container.name
image=%container.image.repository)
priority: WARNING
tags: [container, privileged, T1610]
规则 4:检测写入 /proc/sysrq-trigger
- rule: Write to Sysrq Trigger
desc: 检测写入 /proc/sysrq-trigger,这可能使主机崩溃或被控制
condition: >
open_write and container and fd.name = /proc/sysrq-trigger
output: >
从容器写入 /proc/sysrq-trigger
(user=%user.name container_id=%container.id image=%container.image.repository
command=%proc.cmdline)
priority: CRITICAL
tags: [container, escape, host-manipulation]
规则 5:检测从容器加载内核模块
- rule: Container Loading Kernel Module
desc: 检测容器尝试加载内核模块
condition: >
spawned_process and container and
(proc.name in (insmod, modprobe) or
(proc.name = init_module))
output: >
从容器加载内核模块
(user=%user.name container_id=%container.id image=%container.image.repository
command=%proc.cmdline)
priority: CRITICAL
tags: [container, escape, kernel, T1611]
规则 6:检测通过 cgroups 的容器突破
- rule: Write to Cgroup Release Agent
desc: 检测写入 cgroup release_agent,这是已知的容器逃逸向量
condition: >
open_write and container and
fd.name endswith release_agent
output: >
容器写入 cgroup release_agent - 逃逸尝试
(user=%user.name container_id=%container.id image=%container.image.repository
file=%fd.name command=%proc.cmdline)
priority: CRITICAL
tags: [container, escape, cgroup, CVE-2022-0492]
规则 7:检测访问主机 /etc/shadow
- rule: Container Reading Host Shadow File
desc: 检测容器通过挂载卷读取主机上的 /etc/shadow
condition: >
open_read and container and
(fd.name = /etc/shadow or fd.name startswith /host/etc/shadow)
output: >
容器正在读取主机 shadow 文件
(user=%user.name container_id=%container.id image=%container.image.repository
file=%fd.name command=%proc.cmdline)
priority: CRITICAL
tags: [container, credential-access, T1003]
规则 8:检测 Docker Socket 访问
- rule: Container Accessing Docker Socket
desc: 检测容器访问 Docker socket,这允许控制主机
condition: >
(open_read or open_write) and container and
fd.name = /var/run/docker.sock
output: >
容器正在访问 Docker socket
(user=%user.name container_id=%container.id image=%container.image.repository
command=%proc.cmdline)
priority: CRITICAL
tags: [container, escape, docker-socket, T1610]
完整的自定义规则文件
- list: escape_binaries
items: [nsenter, chroot, unshare, mount, umount, pivot_root]
- macro: container_escape_attempt
condition: >
spawned_process and container and
proc.name in (escape_binaries)
- rule: Container Escape Binary Execution
desc: 检测执行通常用于容器逃逸的二进制文件
condition: container_escape_attempt
output: >
容器中执行了逃逸相关二进制文件
(user=%user.name container=%container.name image=%container.image.repository
command=%proc.cmdline parent=%proc.pname pid=%proc.pid)
priority: CRITICAL
tags: [container, escape, mitre_T1611]
- rule: Sensitive File Access from Container
desc: 检测容器访问敏感主机文件
condition: >
(open_read or open_write) and container and
(fd.name startswith /proc/1/ or
fd.name = /etc/shadow or
fd.name = /etc/kubernetes/admin.conf or
fd.name startswith /var/lib/kubelet/)
output: >
从容器访问了敏感文件
(container=%container.name image=%container.image.repository
file=%fd.name command=%proc.cmdline user=%user.name)
priority: CRITICAL
tags: [container, sensitive-file, mitre_T1005]
Falco 配置
rules_files:
- /etc/falco/falco_rules.yaml
- /etc/falco/rules.d/container-escape.yaml
json_output: true
json_include_output_property: true
json_include_tags_property: true
log_stderr: true
log_syslog: true
log_level: info
priority: WARNING
stdout_output:
enabled: true
syslog_output:
enabled: true
http_output:
enabled: true
url: http://falcosidekick:2801
insecure: true
grpc:
enabled: true
bind_address: "unix:///run/falco/falco.sock"
threadiness: 8
grpc_output:
enabled: true
告警集成
通过 Falcosidekick 转发到 Slack
config:
slack:
webhookurl: "https://hooks.slack.com/services/XXXXX"
minimumpriority: "warning"
messageformat: |
*{{.Priority}}* - {{.Rule}}
容器: {{.OutputFields.container_name}}
镜像: {{.OutputFields.container_image_repository}}
命令: {{.OutputFields.proc_cmdline}}
测试规则
kubectl run test-escape --image=alpine --restart=Never -- sh -c "cat /etc/shadow"
kubectl run test-nsenter --image=alpine --restart=Never --overrides='{"spec":{"hostPID":true}}' -- nsenter -t 1 -m -u -i -n -- cat /etc/hostname
kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50 | grep -i escape
最佳实践
- 将 Falco 部署为 DaemonSet 以确保所有节点都有覆盖
- 使用 eBPF 驱动 而非内核模块,操作更安全
- 从默认规则开始(maturity_stable),然后添加自定义规则
- 通过 Falcosidekick 转发告警 到 SIEM/SOAR
- 用 MITRE ATT&CK 技术 ID 标记规则以进行关联
- 在宽松模式下测试规则,再进行强制执行
- 调整误报,为已知的正常进程添加例外列表
- 使用 Prometheus 指标端点监控 Falco 健康状态