creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-container-drift-at-runtime/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

83 lines
2.0 KiB
Markdown
Raw Blame History

# API Reference: Detecting Container Drift at Runtime
## Docker SDK for Python
```python
import docker
client = docker.from_env()
# List running containers
containers = client.containers.list()
# Get container details
container = client.containers.get("container_id")
container.attrs # full inspection dict
container.image.id # image SHA256
container.image.tags # ['app:v1.0']
# Filesystem diff (vs original image)
diff = container.diff()
# Returns: [{"Path": "/tmp/new_file", "Kind": 1}]
# Kind: 0=Modified, 1=Added, 2=Deleted
# Container inspection fields
container.attrs["HostConfig"]["Privileged"] # bool
container.attrs["HostConfig"]["ReadonlyRootfs"] # bool
container.attrs["Config"]["Image"] # image reference
```
## Docker CLI Commands
```bash
# Filesystem changes since creation
docker diff <container> # A=Added, C=Changed, D=Deleted
# Running processes
docker top <container> -eo pid,user,comm,args
# Image digest verification
docker inspect --format='{{.Image}}' <container>
```
## Falco Drift Detection Rules
```yaml
# Detect binary not in original image
condition: spawned_process and container and proc.is_exe_upper_layer = true
# Detect package manager usage
condition: spawned_process and container and proc.name in (apt, yum, pip, npm)
# Detect shell spawn
condition: spawned_process and container and proc.name in (bash, sh, dash)
```
## Kubernetes Security Context
```yaml
securityContext:
readOnlyRootFilesystem: true # prevent drift
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop: ["ALL"]
```
## Drift Severity Classification
| Indicator | Severity |
|-----------|----------|
| Privileged container | CRITICAL |
| Sensitive file modified (/etc/shadow) | CRITICAL |
| Binary added to system path | HIGH |
| Package manager executed | HIGH |
| Root shell active | MEDIUM |
| Mutable root filesystem | MEDIUM |
## CLI Usage
```bash
python agent.py --container my-app-container
python agent.py --container abc123 --all
```
Reference in New Issue View Git Blame Copy Permalink