mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,88 @@
|
||||
# API Reference: Detecting Container Escape with Falco Rules
|
||||
|
||||
## Falco CLI
|
||||
|
||||
```bash
|
||||
falco --version # check version
|
||||
falco --validate /path/to/rules.yaml # validate rules syntax
|
||||
falco -r /etc/falco/rules.d/escape.yaml # load specific rules
|
||||
falco --list # list all available fields
|
||||
falco --list-events # list supported syscalls
|
||||
```
|
||||
|
||||
## Falco Rule Syntax
|
||||
|
||||
```yaml
|
||||
- rule: <name>
|
||||
desc: <description>
|
||||
condition: <filter expression>
|
||||
output: <alert message with fields>
|
||||
priority: <Emergency|Alert|Critical|Error|Warning|Notice|Informational|Debug>
|
||||
tags: [tag1, tag2]
|
||||
enabled: true
|
||||
```
|
||||
|
||||
## Key Falco Filter Fields
|
||||
|
||||
| Field | Description |
|
||||
|-------|-------------|
|
||||
| `container` | True if event is from a container |
|
||||
| `spawned_process` | True if new process spawned |
|
||||
| `proc.name` | Process name |
|
||||
| `proc.cmdline` | Full command line |
|
||||
| `proc.pname` | Parent process name |
|
||||
| `fd.name` | File descriptor name/path |
|
||||
| `container.name` | Container name |
|
||||
| `container.image.repository` | Image repository |
|
||||
| `container.privileged` | True if privileged |
|
||||
| `proc.is_exe_upper_layer` | Binary not in original image |
|
||||
| `evt.type` | Syscall type (setns, unshare, mount) |
|
||||
|
||||
## Falco JSON Output Format
|
||||
|
||||
```json
|
||||
{
|
||||
"time": "2024-01-15T10:30:00.000Z",
|
||||
"rule": "Container Escape Binary Execution",
|
||||
"priority": "Critical",
|
||||
"source": "syscall",
|
||||
"output": "Escape binary in container...",
|
||||
"output_fields": {
|
||||
"user.name": "root",
|
||||
"proc.cmdline": "nsenter -t 1 -m -u -i -n",
|
||||
"container.name": "attacker-pod"
|
||||
},
|
||||
"tags": ["container", "escape", "T1611"]
|
||||
}
|
||||
```
|
||||
|
||||
## Falcosidekick Alert Routing
|
||||
|
||||
```yaml
|
||||
config:
|
||||
slack:
|
||||
webhookurl: "https://hooks.slack.com/services/XXX"
|
||||
minimumpriority: "critical"
|
||||
elasticsearch:
|
||||
hostport: "https://es:9200"
|
||||
index: "falco-alerts"
|
||||
```
|
||||
|
||||
## Helm Deployment
|
||||
|
||||
```bash
|
||||
helm repo add falcosecurity https://falcosecurity.github.io/charts
|
||||
helm install falco falcosecurity/falco \
|
||||
--namespace falco --create-namespace \
|
||||
--set driver.kind=ebpf \
|
||||
--set falcosidekick.enabled=true
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
|
||||
```bash
|
||||
python agent.py --check-status
|
||||
python agent.py --validate-rules /etc/falco/rules.d/escape.yaml
|
||||
python agent.py --parse-alerts /var/log/falco/events.json --min-priority Warning
|
||||
python agent.py --generate-rules > escape-rules.yaml
|
||||
```
|
||||
Reference in New Issue
Block a user