π¦ Container Runtime
Enrich security events with rich container metadata by connecting Jibril to container runtimes. Track which containers trigger security events, correlate activity with specific images, and gain deep visibility into containerized workloads.
π― What is Container Enrichment?β
When enabled, Jibril automatically connects to available container runtimes (Docker, containerd) and enriches every security event with detailed container context. This transforms basic process-level events into container-aware security intelligence.
Without container runtime enrichment:
{
"uuid": "24491ba5d7bd2f091fdb326d4e35d6d9816437110d6238a080ae4e492d3df12b",
"timestamp": "2025-12-22T04:43:50Z",
"note": "file_example_blergh",
"metadata": {
"kind": "file_example",
"name": "file_example_blergh",
"format": "file_access",
"version": "1.0",
"description": "Detect access magic files as an example",
"importance": "high",
"documentation": "https://garnet.gitbook.io/jibril/detections/file-access/file_example",
"tactic": "example",
"technique": "example",
"subtechnique": "example"
},
"background": {
"files": {
"root": {
"path": "/",
"dirs": [
{
"path": "/bin",
"base": "bin",
"files": [
{
"path": "/bin/busybox",
"base": "busybox",
"actions": ["mmap", "open", "close", "execve"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 808712,
"access": "2025-08-05 16:40:33",
"change": "2025-08-05 16:40:33",
"creation": "2025-11-19 15:52:22"
}
}
]
},
{
"path": "/lib",
"base": "lib",
"files": [
{
"path": "/lib/ld-musl-x86_64.so.1",
"base": "ld-musl-x86_64.so.1",
"actions": ["mmap", "open", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 662120,
"access": "2025-03-05 08:32:04",
"change": "2025-03-05 08:32:04",
"creation": "2025-11-19 15:52:22"
}
}
]
},
{
"path": "/tmp",
"base": "tmp",
"files": [
{
"path": "/tmp/blergh",
"base": "blergh",
"actions": ["open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 0,
"access": "2025-12-22 04:43:48",
"change": "2025-12-22 04:43:48",
"creation": "2025-12-22 04:43:48"
}
}
]
}
]
}
},
"ancestry": [
{
"start": "2025-12-03T13:37:21-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 1,
"ppid": 0,
"comm": "systemd",
"cmd": "systemd",
"exe": "/usr/lib/systemd/systemd",
"args": "/usr/lib/systemd/systemd --switched-root --system --deserialize=50",
"envs": "BOOT_IMAGE=/vmlinuz-linux-lts COLUMNS=80 LINES=25 TERM=linux",
"namespaces": {
"mnt_ns": 4026531841,
"pid_ns": 4026531836,
"uts_ns": 4026531838,
"ipc_ns": 4026531839,
"net_ns": 4026531840,
"cgroup_ns": 4026531835
}
},
{
"start": "2025-12-22T01:43:39-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 312572,
"ppid": 1,
"comm": "containerd-shim",
"cmd": "containerd-shim-runc-v2",
"exe": "/usr/bin/containerd-shim-runc-v2",
"args": "/usr/bin/containerd-shim-runc-v2 -namespace moby -id 5807c62dead463790053e50e7b8e92da91e009fcb971b57de1d89472ad03bee9 -address /run/containerd/containerd.sock",
"envs": "LANG=en_US.UTF-8 PATH=/opt/containerd/bin:/usr/local/sbin:/usr/local/bin:/usr/bin USER=*** INVOCATION_ID=*** JOURNAL_STREAM=9:31036891 SYSTEMD_EXEC_PID=*** LD_LIBRARY_PATH=/opt/containerd/lib: MAX_SHIM_VERSION=2 TTRPC_ADDRESS=/run/containerd/containerd.sock.ttrpc GRPC_ADDRESS=/run/containerd/containerd.sock NAMESPACE=moby GOMAXPROCS=4 OTEL_SERVICE_NAME=containerd-shim-5807c62dead463790053e50e7b8e92da91e009fcb971b57de1d89472ad03bee9",
"namespaces": {
"mnt_ns": 4026531841,
"pid_ns": 4026531836,
"uts_ns": 4026531838,
"ipc_ns": 4026531839,
"net_ns": 4026531840,
"cgroup_ns": 4026531835
}
},
{
"start": "2025-12-22T01:43:39-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 312595,
"ppid": 312572,
"comm": "sh",
"cmd": "busybox",
"exe": "/bin/busybox",
"args": "/bin/sh",
"envs": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=5807c62dead4 TERM=xterm HOME=/root",
"namespaces": {
"mnt_ns": 4026532530,
"pid_ns": 4026532653,
"uts_ns": 4026532651,
"ipc_ns": 4026532652,
"net_ns": 4026532655,
"cgroup_ns": 4026532654
}
},
{
"start": "2025-12-22T01:43:48-03:00",
"exit": "2025-12-22T01:43:48-03:00",
"retcode": 0,
"uid": 0,
"pid": 312701,
"ppid": 312595,
"comm": "touch",
"cmd": "busybox",
"exe": "/bin/busybox",
"args": "touch /tmp/blergh",
"envs": "HOSTNAME=5807c62dead4 SHLVL=1 HOME=/root TERM=xterm PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD=/",
"namespaces": {
"mnt_ns": 4026532530,
"pid_ns": 4026532653,
"uts_ns": 4026532651,
"ipc_ns": 4026532652,
"net_ns": 4026532655,
"cgroup_ns": 4026532654
}
}
]
},
"file": {
"path": "/tmp/blergh",
"dir": "/tmp",
"basename": "blergh",
"type": "regular",
"owner": {
"uid": 0,
"gid": 0
},
"actions": {
"actions": ["open", "close"],
"open": true,
"read": false,
"write": false,
"exec": false,
"create": false,
"unlink": false,
"rename": false,
"link": false,
"truncate": false,
"fsync": false,
"flock": false,
"mmap": false,
"close": true,
"async": false,
"seek": false
},
"permissions": {
"mode": "rw-r--r--",
"owner_read": true,
"owner_write": true,
"owner_exec": false,
"group_read": true,
"group_write": false,
"group_exec": false,
"other_read": true,
"other_write": false,
"other_exec": false
},
"special": {
"setuid": false,
"setgid": false,
"sticky": false
},
"metadata": {
"size": 0,
"access": "2025-12-22 04:43:48",
"change": "2025-12-22 04:43:48",
"creation": "2025-12-22 04:43:48"
}
}
}
With container runtime enrichment:
{
"uuid": "647ae24454a55b0dfea8369a4fc2847f3f953c3638f3c510bd9550f3cee6fe46",
"timestamp": "2025-12-22T04:46:03Z",
"note": "file_example_blergh",
"metadata": {
"kind": "file_example",
"name": "file_example_blergh",
"format": "file_access",
"version": "1.0",
"description": "Detect access magic files as an example",
"importance": "high",
"documentation": "https://garnet.gitbook.io/jibril/detections/file-access/file_example",
"tactic": "example",
"technique": "example",
"subtechnique": "example"
},
"background": {
"files": {
"root": {
"path": "/",
"dirs": [
{
"path": "/etc",
"base": "etc",
"files": [
{
"path": "/etc/ld.so.cache",
"base": "ld.so.cache",
"actions": ["mmap", "open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 5067,
"access": "2025-07-14 14:14:42",
"change": "2025-07-14 14:14:42",
"creation": "2025-07-20 15:48:35"
}
}
]
},
{
"path": "/tmp",
"base": "tmp",
"files": [
{
"path": "/tmp/blergh",
"base": "blergh",
"actions": ["open", "close"],
"mode": "rw-r--r--",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 0,
"access": "2025-12-22 04:45:58",
"change": "2025-12-22 04:45:58",
"creation": "2025-12-22 04:45:58"
}
}
]
},
{
"path": "/usr",
"base": "usr",
"dirs": [
{
"path": "/usr/bin",
"base": "bin",
"files": [
{
"path": "/usr/bin/touch",
"base": "touch",
"actions": ["mmap", "open", "close", "execve"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 96776,
"access": "2024-04-05 14:36:57",
"change": "2024-04-05 14:36:57",
"creation": "2025-07-20 15:48:35"
}
}
]
},
{
"path": "/usr/lib",
"base": "lib",
"dirs": [
{
"path": "/usr/lib/x86_64-linux-gnu",
"base": "x86_64-linux-gnu",
"files": [
{
"path": "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2",
"base": "ld-linux-x86-64.so.2",
"actions": ["mmap", "open", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 236616,
"access": "2025-07-09 16:47:47",
"change": "2025-07-09 16:47:47",
"creation": "2025-07-20 15:48:35"
}
},
{
"path": "/usr/lib/x86_64-linux-gnu/libc.so.6",
"base": "libc.so.6",
"actions": ["mmap", "open", "read", "close"],
"mode": "rwxr-xr-x",
"owner": {
"uid": 0,
"gid": 0
},
"metadata": {
"size": 2125328,
"access": "2025-07-09 16:47:47",
"change": "2025-07-09 16:47:47",
"creation": "2025-07-20 15:48:35"
}
}
]
}
]
}
]
}
]
}
},
"containers": {
"mnt_namespace_ids": [
{
"name": "container02",
"id": "edb9fc55e05b"
}
],
"pid_namespace_ids": [
{
"name": "container02",
"id": "edb9fc55e05b"
}
],
"uts_namespace_ids": [
{
"name": "container02",
"id": "edb9fc55e05b"
}
],
"ipc_namespace_ids": [
{
"name": "container02",
"id": "edb9fc55e05b"
}
],
"net_namespace_ids": [
{
"name": "container01",
"id": "c774b50ffced"
},
{
"name": "container02",
"id": "edb9fc55e05b"
}
],
"cgroup_namespace_ids": [
{
"name": "container02",
"id": "edb9fc55e05b"
}
],
"containers": [
{
"id": "edb9fc55e05b",
"name": "container02",
"hostname": "c774b50ffced",
"image_id": "65ae7a6f3544",
"image": "ubuntu",
"version": "24.04",
"runtime": "runc",
"driver": "overlay2",
"pid": 314274,
"status": "running",
"is_attached": true,
"path": "/bin/bash",
"cwd": "/",
"created_at": "2025-12-22 04:45:52",
"started_at": "2025-12-22 04:45:52",
"finished_at": "0001-01-01 00:00:00",
"mounts": [
{
"source": "proc",
"destination": "/proc",
"type": "proc"
},
{
"source": "tmpfs",
"destination": "/dev",
"type": "tmpfs"
},
{
"source": "devpts",
"destination": "/dev/pts",
"type": "devpts"
},
{
"source": "sysfs",
"destination": "/sys",
"type": "sysfs"
},
{
"source": "cgroup",
"destination": "/sys/fs/cgroup",
"type": "cgroup"
},
{
"source": "mqueue",
"destination": "/dev/mqueue",
"type": "mqueue"
},
{
"source": "shm",
"destination": "/dev/shm",
"type": "tmpfs"
},
{
"source": "/var/lib/docker/containers/c774b50ffced7d07e1d1e01b608ed8ca5d2658d4a0383b1c49631c0e2749a188/resolv.conf",
"destination": "/etc/resolv.conf",
"type": "bind"
},
{
"source": "/var/lib/docker/containers/c774b50ffced7d07e1d1e01b608ed8ca5d2658d4a0383b1c49631c0e2749a188/hostname",
"destination": "/etc/hostname",
"type": "bind"
},
{
"source": "/var/lib/docker/containers/c774b50ffced7d07e1d1e01b608ed8ca5d2658d4a0383b1c49631c0e2749a188/hosts",
"destination": "/etc/hosts",
"type": "bind"
}
],
"network_mode": "container",
"cgroupns_mode": "private",
"ipc_mode": "private",
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"cmd": ["/bin/bash"],
"namespaces": {
"mnt_ns": 4026532716,
"pid_ns": 4026532719,
"uts_ns": 4026532717,
"ipc_ns": 4026532718,
"net_ns": 4026532655,
"cgroup_ns": 4026532720
}
},
{
"id": "c774b50ffced",
"name": "container01",
"hostname": "c774b50ffced",
"image_id": "706db57fb206",
"image": "alpine:latest",
"runtime": "runc",
"driver": "overlay2",
"pid": 314138,
"status": "running",
"is_attached": true,
"path": "/bin/sh",
"cwd": "/",
"created_at": "2025-12-22 04:45:45",
"started_at": "2025-12-22 04:45:45",
"finished_at": "0001-01-01 00:00:00",
"mounts": [
{
"source": "proc",
"destination": "/proc",
"type": "proc"
},
{
"source": "tmpfs",
"destination": "/dev",
"type": "tmpfs"
},
{
"source": "devpts",
"destination": "/dev/pts",
"type": "devpts"
},
{
"source": "sysfs",
"destination": "/sys",
"type": "sysfs"
},
{
"source": "cgroup",
"destination": "/sys/fs/cgroup",
"type": "cgroup"
},
{
"source": "mqueue",
"destination": "/dev/mqueue",
"type": "mqueue"
},
{
"source": "shm",
"destination": "/dev/shm",
"type": "tmpfs"
},
{
"source": "/var/lib/docker/containers/c774b50ffced7d07e1d1e01b608ed8ca5d2658d4a0383b1c49631c0e2749a188/resolv.conf",
"destination": "/etc/resolv.conf",
"type": "bind"
},
{
"source": "/var/lib/docker/containers/c774b50ffced7d07e1d1e01b608ed8ca5d2658d4a0383b1c49631c0e2749a188/hostname",
"destination": "/etc/hostname",
"type": "bind"
},
{
"source": "/var/lib/docker/containers/c774b50ffced7d07e1d1e01b608ed8ca5d2658d4a0383b1c49631c0e2749a188/hosts",
"destination": "/etc/hosts",
"type": "bind"
}
],
"network_mode": "bridge",
"cgroupns_mode": "private",
"ipc_mode": "private",
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"cmd": ["/bin/sh"],
"namespaces": {
"mnt_ns": 4026532530,
"pid_ns": 4026532653,
"uts_ns": 4026532651,
"ipc_ns": 4026532652,
"net_ns": 4026532655,
"cgroup_ns": 4026532654
}
}
]
},
"ancestry": [
{
"start": "2025-12-03T13:37:21-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 1,
"ppid": 0,
"comm": "systemd",
"cmd": "systemd",
"exe": "/usr/lib/systemd/systemd",
"args": "/usr/lib/systemd/systemd --switched-root --system --deserialize=50",
"envs": "BOOT_IMAGE=/vmlinuz-linux-lts COLUMNS=80 LINES=25 TERM=linux",
"namespaces": {
"mnt_ns": 4026531841,
"pid_ns": 4026531836,
"uts_ns": 4026531838,
"ipc_ns": 4026531839,
"net_ns": 4026531840,
"cgroup_ns": 4026531835
}
},
{
"start": "2025-12-22T01:45:52-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 314251,
"ppid": 1,
"comm": "containerd-shim",
"cmd": "containerd-shim-runc-v2",
"exe": "/usr/bin/containerd-shim-runc-v2",
"args": "/usr/bin/containerd-shim-runc-v2 -namespace moby -id edb9fc55e05befdab09bc684c86bd3b7a3305cb146ec2a93feae428323f2f85e -address /run/containerd/containerd.sock",
"envs": "LANG=en_US.UTF-8 PATH=/opt/containerd/bin:/usr/local/sbin:/usr/local/bin:/usr/bin USER=*** INVOCATION_ID=*** JOURNAL_STREAM=9:31036891 SYSTEMD_EXEC_PID=*** LD_LIBRARY_PATH=/opt/containerd/lib: MAX_SHIM_VERSION=2 TTRPC_ADDRESS=/run/containerd/containerd.sock.ttrpc GRPC_ADDRESS=/run/containerd/containerd.sock NAMESPACE=moby GOMAXPROCS=4 OTEL_SERVICE_NAME=containerd-shim-edb9fc55e05befdab09bc684c86bd3b7a3305cb146ec2a93feae428323f2f85e",
"namespaces": {
"mnt_ns": 4026531841,
"pid_ns": 4026531836,
"uts_ns": 4026531838,
"ipc_ns": 4026531839,
"net_ns": 4026531840,
"cgroup_ns": 4026531835
}
},
{
"start": "2025-12-22T01:45:52-03:00",
"exit": "running",
"retcode": 0,
"uid": 0,
"pid": 314274,
"ppid": 314251,
"comm": "bash",
"cmd": "bash",
"exe": "/usr/bin/bash",
"args": "/bin/bash",
"envs": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=c774b50ffced TERM=xterm HOME=/root",
"namespaces": {
"mnt_ns": 4026532716,
"pid_ns": 4026532719,
"uts_ns": 4026532717,
"ipc_ns": 4026532718,
"net_ns": 4026532655,
"cgroup_ns": 4026532720
}
},
{
"start": "2025-12-22T01:45:58-03:00",
"exit": "2025-12-22T01:45:58-03:00",
"retcode": 0,
"uid": 0,
"pid": 314353,
"ppid": 314274,
"comm": "touch",
"cmd": "touch",
"exe": "/usr/bin/touch",
"args": "touch /tmp/blergh",
"envs": "HOSTNAME=c774b50ffced PWD=/root HOME=/root LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:c TERM=xterm SHLVL=1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin OLDPWD=/ _=/usr/bin/touch",
"namespaces": {
"mnt_ns": 4026532716,
"pid_ns": 4026532719,
"uts_ns": 4026532717,
"ipc_ns": 4026532718,
"net_ns": 4026532655,
"cgroup_ns": 4026532720
}
}
]
},
"file": {
"path": "/tmp/blergh",
"dir": "/tmp",
"basename": "blergh",
"type": "regular",
"owner": {
"uid": 0,
"gid": 0
},
"actions": {
"actions": ["open", "close"],
"open": true,
"read": false,
"write": false,
"exec": false,
"create": false,
"unlink": false,
"rename": false,
"link": false,
"truncate": false,
"fsync": false,
"flock": false,
"mmap": false,
"close": true,
"async": false,
"seek": false
},
"permissions": {
"mode": "rw-r--r--",
"owner_read": true,
"owner_write": true,
"owner_exec": false,
"group_read": true,
"group_write": false,
"group_exec": false,
"other_read": true,
"other_write": false,
"other_exec": false
},
"special": {
"setuid": false,
"setgid": false,
"sticky": false
},
"metadata": {
"size": 0,
"access": "2025-12-22 04:45:58",
"change": "2025-12-22 04:45:58",
"creation": "2025-12-22 04:45:58"
}
}
}
π Quick Startβ
1οΈβ£ Enable Enricherβ
# /etc/jibril/config.yaml
features:
- enricher # Enable container runtime enrichment
2οΈβ£ Restart Jibrilβ
# Systemd
sudo systemctl restart jibril
# Docker
docker restart jibril
# Command line
sudo killall jibril && sudo jibril --config /etc/jibril/config.yaml
That's it! Jibril will automatically detect and connect to available container runtimes.
π Supported Runtimesβ
Jibril automatically detects and connects to these container runtimes:
π³ Dockerβ
Socket: /var/run/docker.sock
Automatically detected when:
- Docker daemon is running
- Socket is accessible to Jibril
Supported Docker versions:
- Docker Engine 20.10+
- Docker CE/EE
π¦ containerdβ
Socket: /run/containerd/containerd.sock
Automatically detected when:
- containerd daemon is running
- Socket is accessible to Jibril
Supported containerd versions:
- containerd 1.4+
- Used by Kubernetes (CRI)
π‘ Note: Jibril can connect to multiple runtimes simultaneously. If both Docker and containerd are available, both will be monitored.
π Enriched Metadataβ
When enricher is enabled, security events include detailed container information:
π·οΈ Container Identityβ
- Container ID - Full and shortened (12 chars) container identifier
- Container Name - Human-readable container name
- Container Hostname - Internal hostname configured for the container
- Container State - Current state (running, paused, exited, etc.)
- Runtime Type - Which runtime manages this container (docker, containerd)
πΌοΈ Image Informationβ
- Image Name - Repository and tag (e.g.,
nginx:1.21-alpine) - Image ID - Unique image identifier
- Image Digest - Content-addressable image hash (sha256)
- Image Version - Extracted version/tag information
π Network Configurationβ
- Network Mode - bridge, host, none, or custom network
- IP Address - Container's IP address(es)
- MAC Address - Container's MAC address
- Port Bindings - Exposed ports and mappings
- DNS Configuration - DNS servers and search domains
π Security Contextβ
- Privileged Flag - Whether container runs in privileged mode
- Capabilities - Linux capabilities added or dropped
- User Namespace - User namespace configuration
- AppArmor Profile - AppArmor security profile applied
- SELinux Label - SELinux context label
- Seccomp Profile - Seccomp security profile
π Resource Configurationβ
- CPU Limits - CPU quota and shares
- Memory Limits - Memory and swap limits
- PID Limits - Maximum number of processes
- Restart Policy - Container restart behavior
πΎ Storage Informationβ
- Volume Mounts - All mounted volumes with source and destination
- Bind Mounts - Host path bind mounts
- Mount Types - Volume types (bind, volume, tmpfs)
- Storage Driver - Container storage driver (overlay2, aufs, etc.)
π·οΈ Labels and Metadataβ
- Container Labels - All user-defined labels
- Kubernetes Metadata - Pod name, namespace, deployment (if applicable)
- Annotations - Additional metadata annotations
- Environment Variables - Container environment configuration
β° Lifecycle Informationβ
- Creation Time - When container was created
- Start Time - When container started running
- PID - Container's process ID on the host
- Exit Code - Exit code (for stopped containers)
π― Use Casesβ
π Security Investigationβ
Scenario: Suspicious network activity detected
With enricher:
- Immediately identify which container is responsible
- Check if container is privileged
- Verify image source and version
- Review container labels for ownership
- Correlate with deployment metadata
Without enricher:
- Only see process ID and command
- Manual correlation with containers required
- Difficult to track across container restarts
ποΈ Compliance & Auditβ
Requirements: Track privileged container usage
With enricher:
- Automatic logging of all privileged containers
- Full audit trail with container metadata
- Easy filtering by security settings
- Clear ownership via labels
Example detection:
# Alert on privileged container execution
- name: privileged_container_exec
match: container.privileged == true
π Troubleshootingβ
Scenario: Application behaving unexpectedly
With enricher:
- Identify exact container and image version
- Check environment variables
- Verify volume mounts
- Review resource limits
- Check network configuration
Fast debugging:
- Filter events by container name
- Compare behavior across image versions
- Track configuration drift
π‘οΈ Container Escape Detectionβ
Threat: Container breakout attempts
With enricher:
- Detect when containerized process accesses host filesystem
- Identify privilege escalation in containers
- Track unexpected capability usage
- Monitor privileged operations from containers
Enhanced context:
- Know if escape originated from privileged container
- Identify vulnerable image versions
- Correlate with container configuration
π§ Configurationβ
Enable Container Runtime Enrichmentβ
# /etc/jibril/config.yaml
features:
- enricher
No Additional Options Neededβ
The enricher feature has no configuration options. It automatically:
- Detects available container runtimes
- Connects to runtime sockets
- Maintains container inventory
- Enriches events transparently
π‘ Tip: The enricher is designed to be zero-configuration. Just enable it and it works.
π Verificationβ
Check if enricher is working correctly:
# Check logs for runtime detection
sudo journalctl -u jibril | grep -i enricher
# Expected log messages:
# "enricher: found docker runtime at /var/run/docker.sock"
# "enricher: found containerd runtime at /run/containerd/containerd.sock"
# "enricher: loaded 15 containers"
Verify Events are Enrichedβ
# View enriched events (with jq)
sudo tail -f /var/log/jibril.out | jq 'select(.container != null)'
# Check for container metadata
sudo cat /var/log/jibril.out | jq '.container | select(. != null) | keys'
# Should show: ["id", "name", "image", "runtime", "privileged", ...]
π Best Practicesβ
β Recommendedβ
- β Enable enricher in all containerized environments
- β Use container labels for ownership tracking
- β Filter events by container name/image in investigations
- β Create detection recipes specific to container metadata
- β Monitor privileged containers separately
- β Track security events by image version
- β Use enriched data for incident response
β οΈ Limitationsβ
- β οΈ Only enriches events from containerized processes
- β οΈ Requires access to runtime sockets
- β οΈ Container metadata refresh: ~30 seconds
- β οΈ Stopped containers retained for 5 minutes
- β οΈ Very large container counts (>10k) may impact memory
- β οΈ Runtime connection failures logged but non-fatal
π Permissionsβ
The enricher requires read access to container runtime sockets:
Docker Socket Permissionsβ
# Jibril running as root (default)
# No additional permissions needed - root has access
# Jibril running as non-root service user
sudo usermod -aG docker jibril-user
containerd Socket Permissionsβ
# Typically readable by root by default
ls -la /run/containerd/containerd.sock
# srw-rw---- 1 root root ... /run/containerd/containerd.sock
β οΈ Security Note: Jibril typically runs as root and already has access to runtime sockets. No additional permissions are needed in standard deployments.
π§ͺ Example Queriesβ
With container enrichment enabled, you can create powerful queries:
Filter by Container Nameβ
# Find all events from a specific container
sudo cat /var/log/jibril.out | jq 'select(.container.name == "web-frontend")'
Find Privileged Container Activityβ
# Show suspicious activity from privileged containers
sudo cat /var/log/jibril.out | jq 'select(.container.privileged == true and .severity == "high")'
Track by Image Versionβ
# Monitor events from specific image version
sudo cat /var/log/jibril.out | jq 'select(.container.image | startswith("nginx:1.21"))'
Kubernetes Pod Correlationβ
# Find events by Kubernetes pod name
sudo cat /var/log/jibril.out | jq 'select(.container.labels."io.kubernetes.pod.name" == "frontend-7d9f8")'
π Kubernetes Environmentsβ
In Kubernetes clusters, the enricher provides additional value:
Kubernetes-specific metadata includes:
- Pod Name - From
io.kubernetes.pod.namelabel - Pod Namespace - From
io.kubernetes.pod.namespacelabel - Pod UID - From
io.kubernetes.pod.uidlabel - Container Name - From
io.kubernetes.container.namelabel - Deployment/ReplicaSet - Via label selectors
- Service Account - Kubernetes service account information
Example:
{
"container": {
"name": "k8s_frontend_web-app-7d9f8_default_abc123_0",
"labels": {
"io.kubernetes.pod.name": "web-app-7d9f8",
"io.kubernetes.pod.namespace": "default",
"io.kubernetes.container.name": "frontend",
"app": "web-app"
}
}
}
π Runtime Considerationsβ
Dockerβ
Connection method: Docker API via Unix socket
Performance:
- Fast metadata retrieval via Docker API
- Efficient container inventory updates
- Supports Docker Compose and Swarm
Features:
- Full Docker-specific metadata
- Network bridge information
- Volume driver details
containerdβ
Connection method: containerd API via Unix socket
Performance:
- Optimized for Kubernetes CRI
- Lower overhead than Docker daemon
- Direct container metadata access
Features:
- CRI-specific metadata
- Kubernetes pod information
- Namespace isolation details
π§ Troubleshootingβ
Enricher Not Loadingβ
Symptoms: No container metadata in events
Checks:
# Verify enricher is enabled
sudo cat /etc/jibril/config.yaml | grep enricher
# Check for runtime sockets
ls -la /var/run/docker.sock
ls -la /run/containerd/containerd.sock
# Check Jibril logs
sudo journalctl -u jibril | grep -i "enricher\|runtime"
Solutions:
- Ensure at least one runtime is installed and running
- Verify socket permissions
- Check Jibril has root privileges
Container Metadata Missingβ
Symptoms: Some containers not enriched
Possible causes:
- Container created after Jibril started (wait ~30 seconds for inventory refresh)
- Container in different namespace or runtime
- Runtime API timeout or error
Solutions:
# Restart Jibril to rebuild inventory
sudo systemctl restart jibril
# Check runtime logs
sudo journalctl -u docker
sudo journalctl -u containerd
Permission Deniedβ
Symptoms: Cannot connect to runtime socket
Error logs:
error: failed to connect to docker: permission denied
Solution:
# Verify Jibril runs as root
ps aux | grep jibril
# Check socket permissions
ls -la /var/run/docker.sock
# Ensure jibril has access
sudo chmod 666 /var/run/docker.sock # Temporary fix
π Monitoring Enricher Healthβ
# Check container inventory size
sudo journalctl -u jibril | grep "enricher: loaded"
# Expected output:
# enricher: loaded 42 containers
# Monitor runtime connection status
sudo journalctl -u jibril -f | grep "runtime"