github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-13 14:34:33 +00:00
Code Issues Projects Releases Wiki Activity

Add test for enabled flag.

Browse Source 
New test case disables a rule that would otherwise match.
This commit is contained in:
Mark Stemm 2016-09-03 08:40:01 -07:00
parent f68fba103e
commit 1db2339ece
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
test/falco_tests.yaml.in
View File

@ -113,6 +113,12 @@ trace_files: !mux
- "open.*" - "open.*"
trace_file: trace_files/cat_write.scap trace_file: trace_files/cat_write.scap
disabled_rules_using_enabled_flag:
detect: False
rules_file:
- rules/single_rule_enabled_flag.yaml
trace_file: trace_files/cat_write.scap
file_output: file_output:
detect: True detect: True
detect_level: WARNING detect_level: WARNING

9
test/rules/single_rule_enabled_flag.yaml Normal file
View File

@ -0,0 +1,9 @@
- macro: is_cat
condition: proc.name=cat
- rule: open_from_cat
desc: A process named cat does an open
condition: evt.type=open and is_cat
output: "An open was seen (command=%proc.cmdline)"
priority: WARNING
enabled: false