Let consul agent spawn curl for health checks

falcosecurity · Nov 20, 2017 · c5b1f4c · c5b1f4c
1 parent 729c09c
commit c5b1f4c
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -1040,6 +1040,9 @@
 - macro: nginx_starting_nginx
   condition: (proc.pname=nginx and proc.cmdline contains "/usr/sbin/nginx -c /etc/nginx/nginx.conf")
 
+- macro: consul_running_curl
+  condition: (proc.pname=consul and proc.cmdline startswith "sh -c curl")
+
 - macro: protected_shell_spawner
   condition: >
     (proc.aname in (protected_shell_spawning_binaries)
@@ -1064,6 +1067,7 @@
     and protected_shell_spawner
     and not proc.pname in (gitlab_binaries)
     and not proc.cmdline in (known_shell_spawn_cmdlines)
+    and not consul_running_curl
   output: >
     Shell spawned by untrusted binary (user=%user.name shell=%proc.name parent=%proc.pname
     cmdline=%proc.cmdline pcmdline=%proc.pcmdline gparent=%proc.aname[2] ggparent=%proc.aname[3]