HAProxy Falco Rules

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.

Unauthorized inbound tcp connection haproxy

Detects inbound network connections to haproxy on unexpected ports

Allowed ports:

  • 80
  • 443
  • 1936

Unexpected spawned process haproxy

Detects an unexpected process spawned in the haproxy container

Allowed processes:

  • haproxy

Unexpected file read by haproxy

Detects an attempt to access a file readonly other than below an espected list of paths

Allowed file prefixes for readonly:

  • /etc
  • /lib/x86_64-linux-gnu
  • /proc/sys/kernel
  • /sys/devices/system/cpu
  • /usr/lib/x86_64-linux-gnu

Unexpected file written by haproxy

Detects an attempt to access a file readwrite other than below an espected list of paths

Allowed file prefixes for readwrite:

  • /var/log/haproxy
  • /var/run

Rules