FluentD Falco Rules

A distributed, reliable key-value store for the most critical data of a distributed system

Unauthorized inbound tcp connection fluentd

Detects inbound network connections to fluentd on unexpected ports

Allowed inbound ports:

  • 31337

Unexpected spawned process fluentd

Detects an unexpected process spawned in the fluentd container

Allowed processes:

  • /bin/sh
  • /proc/self/exe
  • /usr/bin/ruby2.1
  • date
  • expr
  • fluentd
  • grep
  • run.sh
  • sed
  • stat

Unexpected file read or written by fluentd

Detects an attempt to access a file readwrite other than below an expected list of paths

Allowed file prefixes for readwrite:

  • /var/log