Stats
Actions
Tags
Detects runtime threats in containers and Kubernetes using Falco YAML rules, monitoring syscalls for shell spawns, file tampering, network anomalies, and privilege escalations. Manages rules via gRPC API and parses alerts.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-cloud-native-forensics-with-falcoThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
在容器化环境中部署和管理 Falco 规则,用于运行时安全检测。解析 Falco 告警以进行事件响应。
在容器化环境中部署和管理 Falco 规则,用于运行时安全检测。解析 Falco 告警以进行事件响应。
# 检测容器中 shell 的自定义 Falco 规则
- rule: Shell Spawned in Container
desc: 检测在容器中启动 shell 进程
condition: >
spawned_process and container
and proc.name in (bash, sh, zsh, dash, csh)
and not proc.pname in (docker-entrypo, supervisord)
output: >
容器中生成 shell
(user=%user.name command=%proc.cmdline container=%container.name
image=%container.image.repository)
priority: WARNING
tags: [container, shell, mitre_execution]
关键检测规则:
# 使用自定义规则运行 Falco
falco -r /etc/falco/custom_rules.yaml -o json_output=true
# 解析 JSON 告警
cat /var/log/falco/alerts.json | python3 -c "import json,sys; [print(json.loads(l)['output']) for l in sys.stdin]"
npx claudepluginhub killvxk/cybersecurity-skills-zhDeploys and manages Falco YAML rules via gRPC API for runtime threat detection in Kubernetes and containers, monitoring syscalls for shell spawns, file tampering, and privilege escalations. Parses alerts for forensics.
Falco-based runtime threat detection for containers and Kubernetes. Monitors syscalls for shell spawns, file tampering, network anomalies, and privilege escalation. Manages rules via gRPC API and parses alerts for incident response.
Uses Falco YAML rules for runtime threat detection in containers and Kubernetes. Manages rules via Falco gRPC API and parses alert output for incident response.