mirror of
https://github.com/falcosecurity/falco.git
synced 2026-02-21 14:13:27 +00:00
feat(engine): emit warning when a rule output uses deprecated "evt.dir"
Emit a warning when a rule uses the deprecated "evt.dir" field in output. Signed-off-by: Iacopo Rozzo <iacopo@sysdig.com>
This commit is contained in:
@@ -1327,3 +1327,36 @@ TEST_F(test_falco_engine, empty_string_source_addl_rule) {
|
||||
|
||||
EXPECT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, deprecated_field_in_output) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule_with_evt_dir_in_output
|
||||
desc: test rule with evt.dir in output
|
||||
condition: evt.type = close
|
||||
output: user=%user.name command=%proc.cmdline file=%fd.name evt.dir=%evt.dir
|
||||
priority: INFO
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(has_warnings());
|
||||
ASSERT_TRUE(check_warning_message(
|
||||
"usage of deprecated field 'evt.dir' has been detected in the rule output"))
|
||||
<< m_load_result_string;
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, no_deprecated_field_warning_in_output) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule_without_evt_dir
|
||||
desc: test rule without evt.dir in output
|
||||
condition: evt.type = close
|
||||
output: user=%user.name command=%proc.cmdline file=%fd.name
|
||||
priority: INFO
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(check_warning_message("evt.dir")) << m_load_result_string;
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
}
|
||||
|
||||
@@ -72,6 +72,24 @@ static bool is_format_valid(const falco_source& source, std::string fmt, std::st
|
||||
}
|
||||
}
|
||||
|
||||
static void check_deprecated_fields_in_output(const std::string& fmt,
|
||||
const rule_loader::context& ctx,
|
||||
rule_loader::result& res) {
|
||||
// Check for evt.dir field usage in output format
|
||||
for(int i = 0;
|
||||
i < static_cast<int>(falco::load_result::deprecated_field::DEPRECATED_FIELD_NOT_FOUND);
|
||||
i++) {
|
||||
auto df = falco::load_result::deprecated_field(i);
|
||||
if(fmt.find(falco::load_result::deprecated_field_str(df)) != std::string::npos) {
|
||||
res.add_deprecated_field_warning(df,
|
||||
"usage of deprecated field '" +
|
||||
falco::load_result::deprecated_field_str(df) +
|
||||
"' has been detected in the rule output",
|
||||
ctx);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static void build_rule_exception_infos(
|
||||
const std::vector<rule_loader::rule_exception_info>& exceptions,
|
||||
std::set<std::string>& exception_fields,
|
||||
@@ -478,6 +496,9 @@ void rule_loader::compiler::compile_rule_infos(const configuration& cfg,
|
||||
r.output_ctx);
|
||||
}
|
||||
|
||||
// check for deprecated fields in output format
|
||||
check_deprecated_fields_in_output(rule.output, r.output_ctx, *cfg.res);
|
||||
|
||||
// validate the rule's extra fields if any
|
||||
for(auto const& ef : rule.extra_output_fields) {
|
||||
if(!is_format_valid(*cfg.sources.at(r.source), ef.second.first, err)) {
|
||||
@@ -485,6 +506,8 @@ void rule_loader::compiler::compile_rule_infos(const configuration& cfg,
|
||||
err,
|
||||
r.output_ctx);
|
||||
}
|
||||
// check for deprecated fields in extra output fields
|
||||
check_deprecated_fields_in_output(ef.second.first, r.output_ctx, *cfg.res);
|
||||
}
|
||||
|
||||
if(!compile_condition(cfg,
|
||||
|
||||
Reference in New Issue
Block a user