Know-How
Runtime Security — ochrana běžících aplikací
Statická analýza a skenování images nestačí. Runtime security detekuje anomálie v běžících kontejnerech a procesech.
Falco
# Instalace
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco
# Custom rules
- rule: Crypto mining detected
condition: spawned_process and proc.name in (xmrig, minerd)
output: "Crypto miner detected (container=%container.name cmd=%proc.cmdline)"
priority: CRITICAL
- rule: Sensitive file read
condition: open_read and fd.name in (/etc/shadow, /etc/passwd)
output: "Sensitive file read (file=%fd.name container=%container.name)"
priority: WARNING
Tetragon — eBPF based
# Instalace
helm install tetragon cilium/tetragon -n kube-system
# Policy — blokovat nežádoucí syscally
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: block-privileged-syscalls
spec:
kprobes:
- call: __x64_sys_ptrace
selectors:
- matchActions:
- action: Sigkill
Klíčový takeaway
Falco pro detekci, Tetragon pro enforcement. Runtime security je poslední obranná linie.