How does this skill detect container escapes?

It utilizes runtime monitoring rules for Falco to identify suspicious syscalls, unauthorized capability gains, and writes to sensitive host filesystems like /etc/passwd.

Can I use this for Kubernetes threat hunting?

Absolutely. The skill includes structured jq queries for Kubernetes audit logs to help you find existing pods running with elevated permissions or hostPath volumes.

Does this skill include OPA Gatekeeper policies?

Yes, it provides specific Rego policy templates to block dangerous capabilities such as SYS_ADMIN, SYS_PTRACE, and privileged mode during the admission phase.

Is it compatible with Pod Security Admission?

Yes, it covers the configuration of the built-in Kubernetes Pod Security Admission controller at the 'restricted' level for production environments.

Kubernetes Privilege Escalation Detection

Name: Kubernetes Privilege Escalation Detection
Author: mukul975

bymukul975

•

4,121

•

Seguridad y Pruebas

Detects and prevents privilege escalation in Kubernetes pods by monitoring security contexts, capabilities, and runtime patterns using Falco and OPA.

This specialized cybersecurity skill provides AI-driven guidance for securing Kubernetes clusters against container breakouts and unauthorized permission elevation. It enables developers and security teams to implement robust defense-in-depth strategies, ranging from pre-deployment admission control with OPA Gatekeeper to real-time threat detection with Falco rules. By analyzing security contexts, Linux capabilities, and syscall patterns, the skill helps identify high-risk configurations like privileged mode, host network access, and dangerous RBAC permissions before they can be exploited.

Características Principales

014,121 GitHub stars

02OPA Gatekeeper Rego policies for capability blocking

03Security context investigation and forensic playbooks

04Falco runtime rules for detecting setuid binary execution

05Pod Security Admission (PSA) enforcement templates

06Kubernetes audit log analysis for RBAC escalation

Casos de Uso

01Investigating security incidents involving suspicious container behavior

02Hardening production Kubernetes namespaces against container escapes

03Threat hunting for misconfigured pods with root or host-level access

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-privilege-escalation-in-kubernetes-pods

For use in Claude.ai and ChatGPT

Características Principales

014,121 GitHub stars

02OPA Gatekeeper Rego policies for capability blocking

03Security context investigation and forensic playbooks

04Falco runtime rules for detecting setuid binary execution

05Pod Security Admission (PSA) enforcement templates

06Kubernetes audit log analysis for RBAC escalation

Casos de Uso

01Investigating security incidents involving suspicious container behavior

02Hardening production Kubernetes namespaces against container escapes

03Threat hunting for misconfigured pods with root or host-level access

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills detecting-privilege-escalation-in-kubernetes-pods

For use in Claude.ai and ChatGPT