Embed badge
Show
Style
[](https://versuz.dev/skills/jmagly-aiwg-plugins-forensics-skills-container-forensics)Free SKILL.md scraped from GitHub. Clone the repo or copy the file directly into your Claude Code skills directory.
npx versuz@latest install jmagly-aiwg-plugins-forensics-skills-container-forensicsgit clone https://github.com/jmagly/aiwg.gitcp aiwg/SKILL.MD ~/.claude/skills/jmagly-aiwg-plugins-forensics-skills-container-forensics/SKILL.md---
namespace: aiwg
name: container-forensics
description: "Forensic investigation of Docker, containerd/CRI-O, and Kubernetes — inventory, escape detection, eBPF runtime monitoring, RBAC and etcd audit. Use when investigating container compromise."
tools: Bash, Read, Write, Glob, Grep
platforms: [all]
---
# container-forensics
Investigates containerized environments for signs of compromise, misconfiguration, or container escape. Covers standalone Docker hosts and Kubernetes clusters. Produces a structured findings document with severity tagging.
## Triggers
Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):
- "Falco" / "Tetragon" / "Tracee" → eBPF runtime monitoring tools
- "dive" → Docker image layer analysis
- "crictl" → containerd/CRI-O environment forensics
- "escape" → container escape investigation
## Purpose
Container environments introduce unique attack surfaces: privileged containers, host namespace access, writable image layers, and overpermissioned service accounts. Standard host forensics misses these vectors. This skill applies container-aware investigation procedures and maps findings to MITRE ATT&CK for Containers.
## Behavior
When triggered, this skill:
1. **Detect environment type**:
- Check for Docker: `docker info 2>/dev/null`
- Check for Kubernetes: `kubectl cluster-info 2>/dev/null` or presence of `/var/run/secrets/kubernetes.io/`
- Check for containerd-only (no Docker): `ctr version 2>/dev/null`
- Check for CRI-O or containerd via CRI: `crictl version 2>/dev/null`
- Determine if running inside a container: check for `/.dockerenv`, inspect cgroup paths
2. **Container inventory and privilege audit**:
- List all containers (running and stopped): `docker ps -a --format '{{json .}}'`
- For containerd/CRI-O environments: `crictl pods` and `crictl ps -a`
- Inspect individual containers: `crictl inspect <id>` (equivalent of `docker inspect`)
- List images on CRI nodes: `crictl images` and `crictl inspecti <image-id>`
- Pull container logs via CRI: `crictl logs <container-id>`
- Flag containers with dangerous flags:
- `--privileged`: `docker inspect <id> | jq '.[].HostConfig.Privileged'`
- Host network mode: `NetworkMode == "host"`
- Host PID namespace: `PidMode == "host"`
- Dangerous capability additions: `CapAdd` containing `SYS_ADMIN`, `NET_ADMIN`, `SYS_PTRACE`
- Enumerate bind mounts of sensitive host paths (`/`, `/etc`, `/var/run/docker.sock`, `/proc`, `/sys`)
3. **Docker — image verification**:
- List all local images with digests: `docker images --digests`
- Check image provenance: compare `RepoDigests` against expected registry
- Flag images tagged `latest` without a pinned digest
- Inspect image build history for suspicious `RUN` layers: `docker history --no-trunc <image>`
- Check for images not associated with any running or stopped container (orphaned images)
4. **Image layer analysis with dive**:
- Run `dive <image> --ci` for non-interactive efficiency and layer summary
- Identify layers that delete files immediately after downloading them (evidence wiping pattern)
- Flag layers installing unexpected tooling (`curl`, `nc`, `nmap`, `socat`, `python`)
- Identify unusually large layers inconsistent with the image's declared purpose
- Check for world-writable permissions set in later layers after a trusted base image
5. **Docker — volume and filesystem inspection**:
- List named volumes: `docker volume ls`
- Inspect volumes mounted into containers for sensitive data paths
- Examine container overlay filesystem changes: `docker diff <container_id>`
- Flag containers with writable root filesystems where `ReadonlyRootfs` is false
6. **Docker — socket and API exposure**:
- Check if Docker socket is bind-mounted into any container — this grants effective root on the host
- Check for TCP Docker API exposure: `ss -tlnp | grep ':2375\|:2376'`
- Review Docker daemon configuration: `/etc/docker/daemon.json`
7. **Container escape indicators**:
- Processes running in container namespaces that share host PID/network: compare namespace inodes in `/proc/1/ns/` vs `/proc/<container-pid>/ns/`
- Unexpected cgroup escape patterns in `/proc/<pid>/cgroup`
- Files written to host paths from within container overlay mounts
- `runc` or `containerd-shim` process anomalies in host process tree
8. **eBPF runtime monitoring**:
- Check for Falco service and alert logs: `journalctl -u falco` and `/var/log/falco.log`
- Review active Falco rules for coverage gaps (shell-in-container, outbound connections, writes below root)
- Collect Tetragon execution traces via `kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon` or `tetra getevents`
- Review active Tetragon `TracingPolicy` resources: `kubectl get tracingpolicies -A`
- Collect Tracee event logs from container or systemd deployment
- If no eBPF tooling was active during the incident, document this gap in the findings
9. **Kubernetes — cluster-level audit**:
- List all pods across all namespaces: `kubectl get pods -A -o json`
- Flag pods running as root: `.spec.containers[].securityContext.runAsUser == 0` or unset
- Flag pods with `hostPID`, `hostNetwork`, or `hostIPC` set to true
- Flag pods mounting the Docker socket or host paths
- List privileged containers across the cluster
10. **Kubernetes — RBAC audit**:
- List ClusterRoleBindings granting `cluster-admin`: `kubectl get clusterrolebindings -o json | jq '...'`
- Identify service accounts with wildcard permissions or `*` verbs on sensitive resources
- Check for default service account token automounting: `automountServiceAccountToken: true`
- List RoleBindings in high-value namespaces (kube-system, kube-public)
11. **Kubernetes — pod security and network policy**:
- Check for absent NetworkPolicies (pods with unrestricted egress/ingress)
- Review PodSecurityAdmission or OPA/Gatekeeper policy coverage
- List nodes and check for unauthorized node additions: `kubectl get nodes -o wide`
12. **etcd security audit** (Kubernetes control-plane only):
- Verify etcd is not listening on a non-loopback address: `ps aux | grep etcd | grep listen-client-urls`
- Confirm `--client-cert-auth=true` is set in the etcd process flags
- Check for encryption-at-rest configuration in the API server manifest (`--encryption-provider-config`)
- List etcd client certificates in `/etc/kubernetes/pki/etcd/` and flag any unexpected certs
- Take a read-only snapshot with `etcdctl snapshot save` for offline analysis
- Enumerate etcd key paths for secrets and serviceaccount tokens using `etcdctl get / --prefix --keys-only`
13. **K8s API server audit log analysis** (if audit logging is enabled):
- Locate audit log path from `kube-apiserver.yaml` (`--audit-log-path`)
- Summarize request activity by user and verb to identify outliers
- Detect anonymous (`system:anonymous`) API calls to non-public endpoints
- Flag ServiceAccount tokens used outside their home namespace
- Identify bulk `list`/`get` on `secrets` resources (credential harvesting pattern)
- Flag `exec` subresource calls from non-operator users during the incident window
- Detect rapid `create`/`delete` sequences on the same resource (attacker covering tracks)
14. **Write findings document**:
- Save to `.aiwg/forensics/findings/container-forensics.md`
- Group by: Docker/containerd findings, eBPF runtime events, Kubernetes findings, etcd/API server findings, escape indicators
- Tag each finding: INFO, SUSPICIOUS, MALICIOUS
## Usage Examples
### Example 1 — Docker host
```
docker investigation
```
Audits the local Docker daemon.
### Example 2 — Kubernetes cluster
```
kubernetes forensics
```
Requires `kubectl` configured with appropriate credentials.
### Example 3 — Inside a container
```
container forensics
```
Detects the container context and adjusts collection accordingly.
## Output Locations
- Findings: `.aiwg/forensics/findings/container-forensics.md`
- Raw Docker inspection: `.aiwg/forensics/evidence/docker-inspect.json`
- crictl inspection output: `.aiwg/forensics/evidence/crictl-inspect.json`
- K8s pod manifest dump: `.aiwg/forensics/evidence/k8s-pods.json`
- Falco alert log: `.aiwg/forensics/evidence/falco-alerts.log`
- Tetragon events: `.aiwg/forensics/evidence/tetragon-events.json`
- Tracee events: `.aiwg/forensics/evidence/tracee-events.json`
- etcd snapshot: `.aiwg/forensics/evidence/etcd-snapshot-<timestamp>.db`
- K8s API server audit log (copy): `.aiwg/forensics/evidence/k8s-audit.log`
## Configuration
```yaml
container_forensics:
dangerous_capabilities:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
- SYS_MODULE
sensitive_host_paths:
- /
- /etc
- /var/run/docker.sock
- /proc
- /sys
- /root
high_value_namespaces:
- kube-system
- kube-public
- default
```
## References
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Detect environment type (Docker, containerd, Kubernetes) before applying collection procedures
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/non-destructive.md — Do not stop or remove containers until all artifacts are collected and hashed
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate immediately when container escape, Docker socket exposure, or privileged escape is confirmed
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Hash container logs and filesystem exports immediately after collection
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/linux-forensics/SKILL.md — Investigate the underlying host after container forensics; container escapes leave traces on the host