Container Security

Sysdig

インストール方法は、こちら

curl -s https://download.sysdig.com/DRAIOS-GPG-KEY.public | sudo apt-key add -  
sudo curl -s -o /etc/apt/sources.list.d/draios.list https://download.sysdig.com/stable/deb/draios.list  
sudo apt-get update
sudo apt-get -y install linux-headers-$(uname -r)
sudo apt-get -y install sysdig
sysdig --version

Falco

インストール方法は、こちら

  • falco.yaml: Falcoの設定ファイル
  • falco_rules.yaml: Falcoのデフォルトルール
  • falco_rules.local.yaml: Falcoのカスタムルール
$ cat /etc/falco/falco_rules.local.yaml
# Your custom rules!
- macro: is_container
  condition: container.id != host

- list: suspicious_process
  items: [ps, sleep]

- rule: spawn_suspicious_process_in_container
  desc: Notice spawn suspicious process within a container
  condition: evt.type = execve and evt.dir = < and is_container and proc.name in (suspicious_process)
  output: Spawn suspicious process in a container (container_id=%container.id container_name=%container.name process=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
  priority: WARNING