creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 15:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-container-escape-with-falco-rules/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.3 KiB
Raw Blame History

API Reference: Detecting Container Escape with Falco Rules

Falco CLI

falco --version                           # check version
falco --validate /path/to/rules.yaml      # validate rules syntax
falco -r /etc/falco/rules.d/escape.yaml   # load specific rules
falco --list                              # list all available fields
falco --list-events                       # list supported syscalls

Falco Rule Syntax

- rule: <name>
  desc: <description>
  condition: <filter expression>
  output: <alert message with fields>
  priority: <Emergency|Alert|Critical|Error|Warning|Notice|Informational|Debug>
  tags: [tag1, tag2]
  enabled: true

Key Falco Filter Fields

Field Description
container True if event is from a container
spawned_process True if new process spawned
proc.name Process name
proc.cmdline Full command line
proc.pname Parent process name
fd.name File descriptor name/path
container.name Container name
container.image.repository Image repository
container.privileged True if privileged
proc.is_exe_upper_layer Binary not in original image
evt.type Syscall type (setns, unshare, mount)

Falco JSON Output Format

{
  "time": "2024-01-15T10:30:00.000Z",
  "rule": "Container Escape Binary Execution",
  "priority": "Critical",
  "source": "syscall",
  "output": "Escape binary in container...",
  "output_fields": {
    "user.name": "root",
    "proc.cmdline": "nsenter -t 1 -m -u -i -n",
    "container.name": "attacker-pod"
  },
  "tags": ["container", "escape", "T1611"]
}

Falcosidekick Alert Routing

config:
  slack:
    webhookurl: "https://hooks.slack.com/services/XXX"
    minimumpriority: "critical"
  elasticsearch:
    hostport: "https://es:9200"
    index: "falco-alerts"

Helm Deployment

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \
  --namespace falco --create-namespace \
  --set driver.kind=ebpf \
  --set falcosidekick.enabled=true

CLI Usage

python agent.py --check-status
python agent.py --validate-rules /etc/falco/rules.d/escape.yaml
python agent.py --parse-alerts /var/log/falco/events.json --min-priority Warning
python agent.py --generate-rules > escape-rules.yaml
Reference in New Issue View Git Blame Copy Permalink