Skip to content

Runtime Security(运行时安全)

支持的版本: Falco 0.39+, Tetragon 1.2+, Kubernetes 1.31, 1.32, 1.33 最后更新: February 22, 2026

Runtime security(运行时安全)是在 containers 运行期间检测并响应恶意活动和异常行为。本文档介绍以 Falco 和 Tetragon 为核心的运行时安全策略。

目录

  1. 运行时威胁态势
  2. Falco
  3. Tetragon
  4. Falco 与 Tetragon 对比
  5. Kubernetes 审计日志
  6. 运行时威胁检测模式
  7. 事件响应
  8. SIEM/SOAR 集成

运行时威胁态势

Container 运行时威胁

┌─────────────────────────────────────────────────────────────────────────┐
│                    Container Runtime Threat Types                        │
│                                                                         │
│  ┌─────────────────────────────────────────────────────────────────┐   │
│  │                      Attack Vectors                              │   │
│  │                                                                  │   │
│  │  ┌───────────┐  ┌───────────┐  ┌───────────┐  ┌───────────┐   │   │
│  │  │Vulnerability│ │  Miscon-  │  │ Malicious │  │  Supply   │   │   │
│  │  │  Exploit   │  │figuration │  │   Image   │  │  Chain    │   │   │
│  │  └─────┬─────┘  └─────┬─────┘  └─────┬─────┘  └─────┬─────┘   │   │
│  │        │              │              │              │          │   │
│  │        └──────────────┴──────────────┴──────────────┘          │   │
│  │                              │                                  │   │
│  │                              ▼                                  │   │
│  │  ┌─────────────────────────────────────────────────────────┐   │   │
│  │  │                    Runtime Threats                       │   │   │
│  │  │                                                          │   │   │
│  │  │  • Cryptocurrency Mining                                 │   │   │
│  │  │  • Reverse Shell                                         │   │   │
│  │  │  • Privilege Escalation                                  │   │   │
│  │  │  • Container Escape                                      │   │   │
│  │  │  • Data Exfiltration                                     │   │   │
│  │  │  • Lateral Movement                                      │   │   │
│  │  │  • Persistence                                           │   │   │
│  │  └─────────────────────────────────────────────────────────┘   │   │
│  └─────────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────────┘

检测技术

技术描述优点缺点
Syscall MonitoringKernel 系统调用跟踪详细可见性开销
eBPFKernel 级编程高性能、安全实现复杂
Audit LogsK8s API 调用记录合规运行时可见性有限
Network Monitoring流量模式分析横向移动检测加密流量

Falco

Falco 概述

Falco 是一种 cloud-native 运行时安全工具,通过分析系统调用来检测异常行为。

┌─────────────────────────────────────────────────────────────────────────┐
│                         Falco Architecture                               │
│                                                                         │
│  ┌─────────────────────────────────────────────────────────────────┐   │
│  │                      Kubernetes Node                             │   │
│  │                                                                  │   │
│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐             │   │
│  │  │ Container A │  │ Container B │  │ Container C │             │   │
│  │  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘             │   │
│  │         │                │                │                     │   │
│  │         └────────────────┼────────────────┘                     │   │
│  │                          │ System Calls                         │   │
│  │                          ▼                                      │   │
│  │  ┌─────────────────────────────────────────────────────────┐   │   │
│  │  │                    Linux Kernel                          │   │   │
│  │  │  ┌─────────────────────────────────────────────────┐    │   │   │
│  │  │  │         Falco eBPF/Kernel Module               │    │   │   │
│  │  │  │         (System Call Capture)                  │    │   │   │
│  │  │  └─────────────────────────────────────────────────┘    │   │   │
│  │  └─────────────────────────────────────────────────────────┘   │   │
│  │                          │                                      │   │
│  │                          ▼                                      │   │
│  │  ┌─────────────────────────────────────────────────────────┐   │   │
│  │  │                    Falco Engine                          │   │   │
│  │  │  ┌───────────┐  ┌───────────┐  ┌───────────────────┐   │   │   │
│  │  │  │   Rules   │  │ Filtering │  │  Output Channels  │   │   │   │
│  │  │  │  Engine   │──▶│  Engine   │──▶│ • stdout         │   │   │   │
│  │  │  │           │  │           │  │ • file            │   │   │   │
│  │  │  │           │  │           │  │ • Slack           │   │   │   │
│  │  │  │           │  │           │  │ • PagerDuty       │   │   │   │
│  │  │  └───────────┘  └───────────┘  └───────────────────┘   │   │   │
│  │  └─────────────────────────────────────────────────────────┘   │   │
│  └─────────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────────┘

Falco 安装 (EKS)

bash
# Install Falco using Helm
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update

# Use eBPF driver (recommended)
helm install falco falcosecurity/falco \
    --namespace falco \
    --create-namespace \
    --set driver.kind=ebpf \
    --set falcosidekick.enabled=true \
    --set falcosidekick.webui.enabled=true
yaml
# values.yaml (detailed configuration)
driver:
  kind: ebpf

falco:
  jsonOutput: true
  jsonIncludeOutputProperty: true
  httpOutput:
    enabled: true
    url: http://falcosidekick:2801

customRules:
  custom-rules.yaml: |-
    # Add custom rules here

falcosidekick:
  enabled: true
  config:
    slack:
      webhookurl: "https://hooks.slack.com/services/xxx"
      outputformat: "all"
      minimumpriority: "warning"
    pagerduty:
      apikey: "xxx"
      minimumpriority: "critical"

  webui:
    enabled: true
    service:
      type: ClusterIP

Falco 规则结构

yaml
# Rule structure
- rule: <rule name>
  desc: <description>
  condition: <condition expression>
  output: <output message>
  priority: <severity: EMERGENCY|ALERT|CRITICAL|ERROR|WARNING|NOTICE|INFO|DEBUG>
  tags: [<tag list>]
  enabled: true|false

默认规则示例

yaml
# /etc/falco/falco_rules.yaml

# Detect shell execution in container
- rule: Terminal shell in container
  desc: A shell was spawned in a container
  condition: >
    spawned_process and
    container and
    shell_procs and
    proc.tty != 0
  output: >
    Shell spawned in a container
    (user=%user.name user_loginuid=%user.loginuid container=%container.name
    shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline
    terminal=%proc.tty exe_flags=%evt.arg.flags)
  priority: WARNING
  tags: [shell, container, mitre_execution]

# Detect sensitive file reads
- rule: Read sensitive file untrusted
  desc: An untrusted program read a sensitive file
  condition: >
    sensitive_files and
    open_read and
    proc_name_exists and
    not user_trusted_containers
  output: >
    Sensitive file read by untrusted program
    (user=%user.name name=%proc.name command=%proc.cmdline
    file=%fd.name parent=%proc.pname gparent=%proc.aname[2]
    container=%container.name image=%container.image.repository)
  priority: WARNING
  tags: [filesystem, mitre_credential_access]

# Detect privilege escalation
- rule: Detect su or sudo
  desc: Detect su or sudo execution
  condition: >
    spawned_process and
    (proc.name in (su, sudo))
  output: >
    Privilege escalation via su/sudo
    (user=%user.name command=%proc.cmdline container=%container.name)
  priority: WARNING
  tags: [privilege_escalation]

编写自定义规则

yaml
# Cryptocurrency mining detection
- rule: Detect Cryptocurrency Mining
  desc: Detect cryptocurrency mining processes
  condition: >
    spawned_process and
    container and
    (
      proc.name in (xmrig, minerd, cgminer, cpuminer, bfgminer) or
      proc.cmdline contains "stratum+tcp://" or
      proc.cmdline contains "pool.minexmr.com" or
      proc.cmdline contains "cryptonight"
    )
  output: >
    Cryptocurrency mining detected
    (user=%user.name command=%proc.cmdline container=%container.name
    image=%container.image.repository)
  priority: CRITICAL
  tags: [cryptomining, mitre_resource_hijacking]

# Reverse shell detection
- rule: Reverse Shell Detection
  desc: Detect reverse shell connections
  condition: >
    spawned_process and
    container and
    (
      (proc.name = bash and proc.cmdline contains "/dev/tcp/") or
      (proc.name = nc and proc.args contains "-e") or
      (proc.name = python and proc.cmdline contains "socket" and
       proc.cmdline contains "subprocess") or
      (proc.name = perl and proc.cmdline contains "socket") or
      (proc.name = ruby and proc.cmdline contains "TCPSocket")
    )
  output: >
    Reverse shell detected
    (user=%user.name command=%proc.cmdline container=%container.name
    image=%container.image.repository connection=%fd.name)
  priority: CRITICAL
  tags: [reverse_shell, mitre_execution]

# Kubernetes Secret access detection
- rule: Unauthorized K8s Secret Access
  desc: Detect unauthorized access to mounted Kubernetes secrets
  condition: >
    open_read and
    container and
    fd.name startswith "/var/run/secrets/kubernetes.io" and
    not proc.name in (kubelet, kube-proxy)
  output: >
    Kubernetes secret accessed
    (user=%user.name command=%proc.cmdline file=%fd.name
    container=%container.name image=%container.image.repository)
  priority: WARNING
  tags: [k8s, secrets, mitre_credential_access]

# Container escape attempt detection
- rule: Container Escape Attempt
  desc: Detect potential container escape attempts
  condition: >
    spawned_process and
    container and
    (
      proc.cmdline contains "nsenter" or
      proc.cmdline contains "/proc/1/root" or
      proc.cmdline contains "/.dockerenv" or
      (proc.name = mount and proc.args contains "cgroup")
    )
  output: >
    Container escape attempt detected
    (user=%user.name command=%proc.cmdline container=%container.name
    image=%container.image.repository)
  priority: CRITICAL
  tags: [container_escape, mitre_privilege_escalation]

Falco 告警配置

yaml
# Falcosidekick configuration for various alert channels
falcosidekick:
  config:
    # Slack
    slack:
      webhookurl: "https://hooks.slack.com/services/xxx/yyy/zzz"
      channel: "#security-alerts"
      username: "Falco"
      outputformat: "all"
      minimumpriority: "warning"

    # PagerDuty
    pagerduty:
      routingkey: "xxx"
      minimumpriority: "critical"

    # AWS CloudWatch
    cloudwatchlogs:
      region: "us-east-1"
      loggroup: "/falco/alerts"
      logstream: "eks-cluster"

    # AWS Security Hub
    securityhub:
      region: "us-east-1"
      minimumpriority: "high"

    # Prometheus
    prometheus:
      extralabels: "cluster:production"

    # Elasticsearch
    elasticsearch:
      hostport: "https://elasticsearch:9200"
      index: "falco"
      type: "_doc"

Tetragon

Tetragon 概述

Tetragon 是 Cilium project 提供的基于 eBPF 的安全可观测性和运行时执行工具。

┌─────────────────────────────────────────────────────────────────────────┐
│                        Tetragon Architecture                             │
│                                                                         │
│  ┌─────────────────────────────────────────────────────────────────┐   │
│  │                    Kubernetes Cluster                            │   │
│  │                                                                  │   │
│  │  ┌───────────────────────────────────────────────────────────┐  │   │
│  │  │                    Tetragon DaemonSet                      │  │   │
│  │  │                                                            │  │   │
│  │  │  ┌─────────────────────────────────────────────────────┐  │  │   │
│  │  │  │                   eBPF Programs                      │  │  │   │
│  │  │  │                                                      │  │  │   │
│  │  │  │  • Process Execution   • File Access                │  │  │   │
│  │  │  │  • Network Activity    • Capability Usage           │  │  │   │
│  │  │  │  • Namespace Changes   • Syscall Tracing            │  │  │   │
│  │  │  └─────────────────────────────────────────────────────┘  │  │   │
│  │  │                           │                                │  │   │
│  │  │                           ▼                                │  │   │
│  │  │  ┌─────────────────────────────────────────────────────┐  │  │   │
│  │  │  │               TracingPolicy CRD                      │  │  │   │
│  │  │  │                                                      │  │  │   │
│  │  │  │  • kprobes    • tracepoints    • uprobes            │  │  │   │
│  │  │  │  • Selectors  • Actions        • Filters            │  │  │   │
│  │  │  └─────────────────────────────────────────────────────┘  │  │   │
│  │  │                           │                                │  │   │
│  │  │                           ▼                                │  │   │
│  │  │  ┌─────────────────────────────────────────────────────┐  │  │   │
│  │  │  │                    Outputs                           │  │  │   │
│  │  │  │                                                      │  │  │   │
│  │  │  │  • JSON Events  • gRPC API  • Prometheus Metrics    │  │  │   │
│  │  │  └─────────────────────────────────────────────────────┘  │  │   │
│  │  └────────────────────────────────────────────────────────────┘  │   │
│  └─────────────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────────────┘

Tetragon 安装

bash
# Install Tetragon using Helm
helm repo add cilium https://helm.cilium.io
helm repo update

helm install tetragon cilium/tetragon \
    -n kube-system \
    --set tetragon.enableProcessCred=true \
    --set tetragon.enableProcessNs=true

TracingPolicy 基本结构

yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: example-policy
spec:
  # kprobes: kernel function tracing
  kprobes:
    - call: "security_file_open"
      syscall: false
      args:
        - index: 0
          type: "file"
      selectors:
        - matchArgs:
            - index: 0
              operator: "Prefix"
              values:
                - "/etc/shadow"
          matchActions:
            - action: Sigkill  # Kill process

进程监控

yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: process-monitoring
spec:
  kprobes:
    # Monitor execve system call
    - call: "sys_execve"
      syscall: true
      args:
        - index: 0
          type: "string"  # Executable path
      selectors:
        - matchBinaries:
            - operator: "In"
              values:
                - "/bin/bash"
                - "/bin/sh"
                - "/usr/bin/python"
          matchNamespaces:
            - namespace: Pid
              operator: NotIn
              values:
                - "host_ns"  # Exclude host namespace

文件访问监控

yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: sensitive-file-access
spec:
  kprobes:
    - call: "security_file_open"
      syscall: false
      args:
        - index: 0
          type: "file"
      selectors:
        # Monitor sensitive file access
        - matchArgs:
            - index: 0
              operator: "Prefix"
              values:
                - "/etc/shadow"
                - "/etc/passwd"
                - "/etc/sudoers"
                - "/root/.ssh"
                - "/var/run/secrets/kubernetes.io"
          matchActions:
            - action: Post  # Log event
---
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: block-sensitive-file-write
spec:
  kprobes:
    - call: "security_file_open"
      syscall: false
      args:
        - index: 0
          type: "file"
        - index: 1
          type: "int"  # flags
      selectors:
        # Block write access to sensitive files
        - matchArgs:
            - index: 0
              operator: "Prefix"
              values:
                - "/etc/passwd"
                - "/etc/shadow"
            - index: 1
              operator: "Mask"
              values:
                - "2"  # O_WRONLY or O_RDWR
          matchActions:
            - action: Sigkill  # Kill process

网络监控

yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: network-monitoring
spec:
  kprobes:
    # Monitor outbound connections
    - call: "tcp_connect"
      syscall: false
      args:
        - index: 0
          type: "sock"
      selectors:
        - matchArgs:
            - index: 0
              operator: "DPort"
              values:
                - "22"    # SSH
                - "4444"  # Common reverse shell port
                - "5555"  # Common reverse shell port
          matchActions:
            - action: Post

    # Monitor DNS queries
    - call: "udp_sendmsg"
      syscall: false
      args:
        - index: 0
          type: "sock"
      selectors:
        - matchArgs:
            - index: 0
              operator: "DPort"
              values:
                - "53"
          matchActions:
            - action: Post

Runtime Enforcement(运行时执行)

yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: block-crypto-miners
spec:
  kprobes:
    - call: "sys_execve"
      syscall: true
      args:
        - index: 0
          type: "string"
      selectors:
        # Block cryptocurrency mining processes
        - matchArgs:
            - index: 0
              operator: "Postfix"
              values:
                - "xmrig"
                - "minerd"
                - "cgminer"
          matchActions:
            - action: Sigkill
---
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: block-reverse-shells
spec:
  kprobes:
    - call: "sys_execve"
      syscall: true
      args:
        - index: 0
          type: "string"
        - index: 1
          type: "string"  # argv
      selectors:
        # Block reverse shell patterns
        - matchArgs:
            - index: 1
              operator: "Contains"
              values:
                - "/dev/tcp/"
                - "bash -i"
                - "nc -e"
          matchActions:
            - action: Sigkill

Tetragon CLI 使用

bash
# View event stream
kubectl exec -n kube-system ds/tetragon -c tetragon -- tetra getevents

# Filter process events
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
    tetra getevents -o compact --process curl

# JSON format output
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
    tetra getevents -o json

# Filter by namespace
kubectl exec -n kube-system ds/tetragon -c tetragon -- \
    tetra getevents --namespace production

Falco 与 Tetragon 对比

功能对比表

特性FalcoTetragon
技术基础Kernel module/eBPF仅 eBPF
性能良好优秀
规则语言YAML + conditionsCRD (TracingPolicy)
Runtime Enforcement有限原生支持
Kubernetes 集成良好优秀 (Cilium)
进程跟踪
文件监控
网络监控有限✓ (Cilium integration)
社区庞大且成熟正在成长
学习曲线中等
告警集成FalcosidekickPrometheus, gRPC

使用场景建议

┌─────────────────────────────────────────────────────────────────────────┐
│                    Recommended Tools by Use Case                         │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Detection-focused Monitoring                                           │
│  └─▶ Falco (mature ruleset, diverse alert integration)                 │
│                                                                         │
│  Runtime Enforcement Needed                                             │
│  └─▶ Tetragon (process termination, network blocking)                  │
│                                                                         │
│  Cilium CNI Environment                                                 │
│  └─▶ Tetragon (native integration)                                     │
│                                                                         │
│  Compliance/Auditing                                                    │
│  └─▶ Falco + Tetragon (complementary)                                  │
│                                                                         │
│  Minimal Overhead Required                                              │
│  └─▶ Tetragon (pure eBPF)                                              │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Kubernetes 审计日志

审计策略配置

yaml
# audit-policy.yaml
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
  # Log authentication failures
  - level: Metadata
    users: ["system:anonymous"]
    verbs: ["*"]

  # Detailed Secret access logging
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["secrets"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]

  # Pod exec/attach logging
  - level: RequestResponse
    resources:
      - group: ""
        resources: ["pods/exec", "pods/attach", "pods/portforward"]
    verbs: ["create"]

  # RBAC change logging
  - level: RequestResponse
    resources:
      - group: "rbac.authorization.k8s.io"
        resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
    verbs: ["create", "update", "patch", "delete"]

  # Minimal logging for read operations
  - level: Metadata
    verbs: ["get", "list", "watch"]

  # All other requests
  - level: Request
    verbs: ["*"]

EKS 审计日志分析

bash
# CloudWatch Logs Insights queries

# Secret access events
fields @timestamp, user.username, verb, objectRef.resource, objectRef.name
| filter objectRef.resource = "secrets"
| sort @timestamp desc
| limit 100

# Permission denied events
fields @timestamp, user.username, verb, objectRef.resource, responseStatus.code
| filter responseStatus.code = 403
| sort @timestamp desc

# exec/attach events
fields @timestamp, user.username, objectRef.name, requestURI
| filter objectRef.subresource in ["exec", "attach"]
| sort @timestamp desc

运行时威胁检测模式

加密货币挖矿检测

yaml
# Falco rule
- rule: Cryptocurrency Mining Activity
  desc: Detect processes commonly used for cryptocurrency mining
  condition: >
    spawned_process and container and
    (
      proc.name in (xmrig, minerd, cpuminer, cgminer) or
      proc.cmdline contains "stratum+tcp" or
      proc.cmdline contains "pool." and proc.cmdline contains ":" or
      proc.cmdline contains "--algo=cryptonight"
    )
  output: >
    Cryptocurrency mining activity detected
    (user=%user.name command=%proc.cmdline container=%container.name
    image=%container.image.repository pod=%k8s.pod.name)
  priority: CRITICAL
  tags: [cryptomining, mitre_resource_hijacking]

Reverse Shell 检测

yaml
- rule: Reverse Shell Activity
  desc: Detect outbound network connections that may be reverse shells
  condition: >
    spawned_process and container and
    (
      (proc.name = bash and proc.cmdline contains "/dev/tcp/") or
      (proc.name = nc and (proc.args contains "-e" or proc.args contains "-c")) or
      (proc.name = ncat and proc.args contains "--sh-exec") or
      (proc.name = python and proc.cmdline contains "socket" and
       proc.cmdline contains "subprocess") or
      (proc.name = perl and proc.cmdline contains "socket" and
       proc.cmdline contains "exec") or
      (proc.name = php and proc.cmdline contains "fsockopen")
    )
  output: >
    Reverse shell detected
    (user=%user.name command=%proc.cmdline container=%container.name
    image=%container.image.repository pod=%k8s.pod.name)
  priority: CRITICAL
  tags: [reverse_shell, mitre_command_and_control]

权限提升检测

yaml
- rule: Privilege Escalation via SUID
  desc: Detect execution of SUID binaries
  condition: >
    spawned_process and container and
    proc.is_exe_upper_layer=false and
    user.uid != 0 and
    proc.suid != 0 and
    proc.suid != proc.uid
  output: >
    SUID binary executed
    (user=%user.name uid=%user.uid suid=%proc.suid command=%proc.cmdline
    container=%container.name)
  priority: WARNING
  tags: [privilege_escalation, mitre_privilege_escalation]

- rule: Setuid/Setgid Binary Created
  desc: Detect creation of setuid/setgid binaries
  condition: >
    evt.type = chmod and container and
    (evt.arg.mode contains "S_ISUID" or evt.arg.mode contains "S_ISGID")
  output: >
    Setuid/setgid binary created
    (user=%user.name file=%fd.name mode=%evt.arg.mode container=%container.name)
  priority: CRITICAL
  tags: [privilege_escalation, persistence]

事件响应

Pod 隔离流程

bash
#!/bin/bash
# incident-response.sh

POD_NAME=$1
NAMESPACE=$2

# 1. Apply isolation network policy
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: isolate-${POD_NAME}
  namespace: ${NAMESPACE}
spec:
  podSelector:
    matchLabels:
      app: $(kubectl get pod ${POD_NAME} -n ${NAMESPACE} -o jsonpath='{.metadata.labels.app}')
  policyTypes:
    - Ingress
    - Egress
  # Block all traffic
EOF

# 2. Collect pod information
echo "=== Collecting Pod Information ==="
kubectl get pod ${POD_NAME} -n ${NAMESPACE} -o yaml > pod-${POD_NAME}-spec.yaml
kubectl describe pod ${POD_NAME} -n ${NAMESPACE} > pod-${POD_NAME}-describe.txt
kubectl logs ${POD_NAME} -n ${NAMESPACE} --all-containers > pod-${POD_NAME}-logs.txt

# 3. Collect process list (if possible)
kubectl exec ${POD_NAME} -n ${NAMESPACE} -- ps aux > pod-${POD_NAME}-processes.txt 2>/dev/null

# 4. Collect network connections
kubectl exec ${POD_NAME} -n ${NAMESPACE} -- netstat -an > pod-${POD_NAME}-network.txt 2>/dev/null

# 5. Filesystem snapshot (if needed)
# kubectl debug ${POD_NAME} -n ${NAMESPACE} --image=busybox -- tar -cvf /tmp/fs.tar /

echo "=== Evidence Collection Complete ==="
echo "Collected files: pod-${POD_NAME}-*.txt"

取证 Container

yaml
# Debug container for forensics
apiVersion: v1
kind: Pod
metadata:
  name: forensics-pod
  namespace: security
spec:
  containers:
  - name: forensics
    image: nicolaka/netshoot:latest
    command: ["sleep", "3600"]
    securityContext:
      capabilities:
        add:
          - SYS_PTRACE
          - NET_ADMIN
    volumeMounts:
      - name: host-proc
        mountPath: /host/proc
        readOnly: true
      - name: evidence
        mountPath: /evidence
  volumes:
    - name: host-proc
      hostPath:
        path: /proc
    - name: evidence
      emptyDir: {}

SIEM/SOAR 集成

Falco 到 Elasticsearch

yaml
# Falcosidekick Elasticsearch configuration
falcosidekick:
  config:
    elasticsearch:
      hostport: "https://elasticsearch.logging:9200"
      index: "falco"
      type: "_doc"
      minimumpriority: "warning"
      mutualtls: false
      checkcert: true
      username: "elastic"
      password: "${ELASTIC_PASSWORD}"

Prometheus + Grafana Dashboard

yaml
# ServiceMonitor for Falco metrics
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: falco
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: falco
  endpoints:
    - port: metrics
      interval: 30s
yaml
# Grafana dashboard ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
  name: falco-dashboard
  namespace: monitoring
  labels:
    grafana_dashboard: "1"
data:
  falco-dashboard.json: |
    {
      "title": "Falco Security Alerts",
      "panels": [
        {
          "title": "Alerts by Priority",
          "type": "piechart",
          "targets": [
            {
              "expr": "sum by (priority) (falco_events_total)"
            }
          ]
        },
        {
          "title": "Alerts Over Time",
          "type": "timeseries",
          "targets": [
            {
              "expr": "rate(falco_events_total[5m])"
            }
          ]
        }
      ]
    }

总结

运行时安全的关键方面:

  1. Falco:成熟规则集、多样化告警集成、以检测为中心
  2. Tetragon:基于 eBPF 的高性能,支持 runtime enforcement
  3. Audit Logging:Kubernetes API 活动跟踪、合规
  4. Threat Detection:加密货币挖矿、reverse shells、权限提升
  5. Incident Response:隔离、证据收集、取证

建议

  • 使用 Falco + Tetragon 组合进行检测和执行
  • 为关键系统编写自定义规则
  • 与 SIEM 集成,实现集中式监控
  • 准备事件响应 playbooks

参考资料