PostgreSQL Falco Rules

Unexpected inbound tcp connection postgres

Detects inbound network connections to postgres on unexpected ports

Allowed ports:

  • 5432

Unexpected spawned process postgres

Detects an unexpected process spawned in the postgres container

Allowed processes:

  • /proc/self/exe
  • pg_isready
  • postgres
  • psql
  • pg_ctl
  • sh

Unexpected file read by postgres

Detects an attempt to access a file readonly other than below an espected list of paths

Allowed file prefixes for readonly:

  • /dev
  • /etc
  • /lib/x86_64-linux-gnu
  • /usr/lib/locale
  • /usr/lib/x86_64-linux-gnu
  • /usr/share/locale
  • /var/lib/postgresql/data
  • /usr/share/zoneinfo
  • /var/lib/postgresql
  • /usr/lib/postgresql
  • /usr/share/postgresql
  • /var/run/postgresql

Unexpected file written by postgres

Detects an attempt to access a file readwrite other than below an espected list of paths

Allowed file prefixes for readwrite:

  • /var/lib/postgresql/data
  • /var/run/postgresql

Rules