Consul Falco Rules

Consul is a service networking solution to connect and secure services across any runtime platform and public or private cloud

Unexpected inbound tcp connection consul

Detects inbound network connections to consul on unexpected ports

Allowed inbound ports:

  • 8300
  • 8301
  • 8302
  • 8500
  • 8600

Unexpected spawned process consul

Detects an unexpected process spawned in the consul container

Allowed processes:

  • consul
  • sh
  • exe
  • awk
  • consul
  • ping
  • seq
  • sleep

Unexpected system calls in consul container

Detects an unexpected system call executed in consul container

Allowed system calls:

  • accept
  • bind
  • clone
  • connect
  • dup
  • execve
  • fork
  • listen
  • mkdirat
  • open
  • openat
  • pipe
  • procexit
  • recvfrom
  • recvmsg
  • sendto
  • socket
  • unlinkat

Unexpected file access readwrite for apache

Detects an attempt to access a file readwrite other than below an expected list of directories

Allowed file prefixes for readwrite:

  • /dev
  • /var/lib/consul

Rules