github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-31 14:11:41 +00:00
Code Issues Projects Releases Wiki Activity

Add tests for mismatched sources and append

Browse Source 
Add additional unit tests to verify that rule loading fails when a
second rules object has a different source but the name of an existing
rules object.

Also add tests for additional rules having an empty source.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2024-10-16 13:45:56 -07:00 committed by poiana
parent 4a73ef8824
commit 09a9fd4c26
1 changed files with 105 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
unit_tests/engine/test_rule_loader.cpp
View File

@ -1222,3 +1222,108 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
EXPECT_EQ(get_compiled_rule_condition("test_rule"), EXPECT_EQ(get_compiled_rule_condition("test_rule"),
"(evt.type = open and not tolower(proc.name) = test)"); "(evt.type = open and not tolower(proc.name) = test)");
} }
TEST_F(test_falco_engine, redefine_rule_different_source) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
desc: Some desc
condition: and 1 = 2
output: Some output
priority: INFO
source: syscall
)END";
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}
TEST_F(test_falco_engine, append_across_sources) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
desc: Some desc
condition: and 1 = 2
output: Some output
priority: INFO
source: syscall
append: true
)END";
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}
TEST_F(test_falco_engine, selective_replace_across_sources) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: ka.verb = GET
output: some output
priority: INFO
source: k8s_audit
- rule: LD_PRELOAD trick
condition: 1 = 2
override:
condition: replace
source: syscall
)END";
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_error_message("Rule has been re-defined with a different source"));
}
TEST_F(test_falco_engine, empty_source_addl_rule) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: evt.type=execve
output: some output
priority: INFO
source: syscall
- rule: LD_PRELOAD trick
desc: Some desc
condition: and proc.name=apache
output: Some output
priority: INFO
source:
append: true
)END";
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
}
TEST_F(test_falco_engine, empty_string_source_addl_rule) {
auto rules_content = R"END(
- rule: LD_PRELOAD trick
desc: Some desc
condition: evt.type=execve
output: some output
priority: INFO
source: syscall
- rule: LD_PRELOAD trick
desc: Some desc
condition: and proc.name=apache
output: Some output
priority: INFO
source: ""
append: true
)END";
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
}