Statická analýza a skenování images nestačí. Runtime security detekuje anomálie v běžících kontejnerech a procesech.

Falco¶

Instalace¶

helm repo add falcosecurity https://falcosecurity.github.io/charts helm install falco falcosecurity/falco

Custom rules¶

• rule: Crypto mining detected condition: spawned_process and proc.name in (xmrig, minerd) output: “Crypto miner detected (container=%container.name cmd=%proc.cmdline)” priority: CRITICAL
• rule: Sensitive file read condition: open_read and fd.name in (/etc/shadow, /etc/passwd) output: “Sensitive file read (file=%fd.name container=%container.name)” priority: WARNING

Tetragon — eBPF based¶

Instalace¶

helm install tetragon cilium/tetragon -n kube-system

Policy — blokovat nežádoucí syscally¶

apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: block-privileged-syscalls spec: kprobes: - call: __x64_sys_ptrace selectors: - matchActions: - action: Sigkill

Klíčový takeaway¶

Falco pro detekci, Tetragon pro enforcement. Runtime security je poslední obranná linie.