diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index 951f0eea..e887ee7d 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -579,3 +579,23 @@ trace_files: !mux - open_11: 1 - open_12: 0 - open_13: 0 + + list_append_failure: + exit_status: 1 + stderr_contains: "List my_list has 'append' key but no list by that name already exists. Exiting" + rules_file: + - rules/list_append_failure.yaml + trace_file: trace_files/cat_write.scap + + list_append: + detect: True + detect_level: WARNING + rules_file: + - rules/list_append.yaml + trace_file: trace_files/cat_write.scap + + list_append_false: + detect: False + rules_file: + - rules/list_append_false.yaml + trace_file: trace_files/cat_write.scap diff --git a/test/rules/list_append.yaml b/test/rules/list_append.yaml new file mode 100644 index 00000000..064f12a6 --- /dev/null +++ b/test/rules/list_append.yaml @@ -0,0 +1,12 @@ +- list: my_list + items: [not-cat] + +- list: my_list + append: true + items: [cat] + +- rule: Open From Cat + desc: A process named cat does an open + condition: evt.type=open and proc.name in (my_list) + output: "An open was seen (command=%proc.cmdline)" + priority: WARNING \ No newline at end of file diff --git a/test/rules/list_append_failure.yaml b/test/rules/list_append_failure.yaml new file mode 100644 index 00000000..11bc54ac --- /dev/null +++ b/test/rules/list_append_failure.yaml @@ -0,0 +1,3 @@ +- list: my_list + items: [not-cat] + append: true diff --git a/test/rules/list_append_false.yaml b/test/rules/list_append_false.yaml new file mode 100644 index 00000000..02d3fa79 --- /dev/null +++ b/test/rules/list_append_false.yaml @@ -0,0 +1,12 @@ +- list: my_list + items: [cat] + +- list: my_list + append: false + items: [not-cat] + +- rule: Open From Cat + desc: A process named cat does an open + condition: evt.type=open and proc.name in (my_list) + output: "An open was seen (command=%proc.cmdline)" + priority: WARNING \ No newline at end of file