github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 11:29:26 +00:00
Code Issues Projects Releases Wiki Activity

Update automated tests to reflect evttypes behavior

Browse Source 
With the changes in https://github.com/falcosecurity/libs/pull/74,
there isn't any need to warn about the order of operators and the
evt.type field--the set of event types for a filter should be exact
now regardless of the order of operators.

So update tests that were logging those warnings to note that the
warnings won't occur any more.

Also, some tests more accurately *do* note that they have an overly
permissive evttype (e.g. ones related to syscalls, which are uncommon
and are evaluated for all event types) to reflect the new behavior.

Finally, in unit tests create an actual sinsp filter instead of a
gen_event_filter, which is the base class and shouldn't be created
directly.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2021-10-04 17:29:06 -07:00
committed by poiana
parent 204892816b
commit 10d47cb1f5
3 changed files with 34 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
test/rules/rule_append.yaml
View File

@@ -16,10 +16,10 @@
#
- rule: my_rule
desc: A process named cat does an open
condition: evt.type=open and fd.name=not-a-real-file
condition: (evt.type=open and fd.name=not-a-real-file)
output: "An open of /dev/null was seen (command=%proc.cmdline)"
priority: WARNING
- rule: my_rule
append: true
condition: or fd.name=/dev/null
condition: or (evt.type=open and fd.name=/dev/null)