Add test for enabled flag.

New test case disables a rule that would otherwise match.
2025-07-12 14:08:27 +00:00 · 2016-09-03 08:40:01 -07:00 · 2016-09-03 08:40:01 -07:00 · 1db2339ece
commit 1db2339ece
parent f68fba103e
2 changed files with 15 additions and 0 deletions
--- a/test/falco_tests.yaml.in
+++ b/test/falco_tests.yaml.in
@ -113,6 +113,12 @@ trace_files: !mux
      - "open.*"
    trace_file: trace_files/cat_write.scap

+  disabled_rules_using_enabled_flag:
+    detect: False
+    rules_file:
+      - rules/single_rule_enabled_flag.yaml
+    trace_file: trace_files/cat_write.scap
+
  file_output:
    detect: True
    detect_level: WARNING
--- a/test/rules/single_rule_enabled_flag.yaml
+++ b/test/rules/single_rule_enabled_flag.yaml
@ -0,0 +1,9 @@
+- macro: is_cat
+  condition: proc.name=cat
+
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and is_cat
+  output: "An open was seen (command=%proc.cmdline)"
+  priority: WARNING
+  enabled: false