From 0eb170cf5fa9a570351a145dc3ea2c5d912d1239 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Thu, 23 Sep 2021 07:21:11 +0000 Subject: [PATCH] update(test): enhance test cases for tags in json outputs Signed-off-by: Jason Dellaluce --- test/confs/psp.yaml | 6 ++++++ test/falco_test.py | 14 +++++++++----- test/falco_tests.yaml | 19 +++++++++++++++++++ 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/test/confs/psp.yaml b/test/confs/psp.yaml index a9549668..155d28b6 100644 --- a/test/confs/psp.yaml +++ b/test/confs/psp.yaml @@ -43,6 +43,12 @@ json_output: false # (user=root ....") in the json output. json_include_output_property: true +# When using json output, whether or not to include the "tags" property +# itself in the json output. If set to true, outputs caused by rules +# with no tags will have a "tags" field set to an empty array. If set to +# false, the "tags" field will not be included in the json output at all. +json_include_tags_property: true + # Send information logs to stderr and/or syslog Note these are *not* security # notification logs! These are just Falco lifecycle (and possibly error) logs. log_stderr: true diff --git a/test/falco_test.py b/test/falco_test.py index 77f750d5..486b3213 100644 --- a/test/falco_test.py +++ b/test/falco_test.py @@ -90,6 +90,8 @@ class FalcoTest(Test): self.json_output = self.params.get('json_output', '*', default=False) self.json_include_output_property = self.params.get( 'json_include_output_property', '*', default=True) + self.json_include_tags_property = self.params.get( + 'json_include_tags_property', '*', default=True) self.all_events = self.params.get('all_events', '*', default=False) self.priority = self.params.get('priority', '*', default='debug') self.rules_file = self.params.get( @@ -388,10 +390,11 @@ class FalcoTest(Test): for line in res.stdout.decode("utf-8").splitlines(): if line.startswith('{'): obj = json.loads(line) + attrs = ['time', 'rule', 'priority'] if self.json_include_output_property: - attrs = ['time', 'rule', 'priority', 'output'] - else: - attrs = ['time', 'rule', 'priority'] + attrs.append('output') + if self.json_include_tags_property: + attrs.append('tags') for attr in attrs: if not attr in obj: self.fail( @@ -614,8 +617,9 @@ class FalcoTest(Test): self.log.debug("Converted Rules: {}".format(psp_rules)) # Run falco - cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format( - self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority) + cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o json_include_tags_property={} -o priority={} -v'.format( + self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, + self.json_include_output_property, self.json_include_tags_property, self.priority) for tag in self.disable_tags: cmd += ' -T {}'.format(tag) diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index 2f3b4e5b..df0c19fa 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -1111,6 +1111,25 @@ trace_files: !mux trace_file: trace_files/cat_write.scap stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)" + json_output_no_tags_property: + json_output: True + json_include_tags_property: False + detect: True + detect_level: WARNING + rules_file: + - rules/rule_append.yaml + trace_file: trace_files/cat_write.scap + stdout_contains: "^(?!.*\"tags\":[ ]*\\[.*\\],.*)" + + json_output_empty_tags_property: + json_output: True + detect: True + detect_level: WARNING + rules_file: + - rules/rule_append.yaml + trace_file: trace_files/cat_write.scap + stdout_contains: "^(.*\"tags\":[ ]*\\[\\],.*)" + in_operator_netmasks: detect: True detect_level: INFO