From 2c189d6a609e90ab9b05bca6338bc1380cb32cae Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 16:45:47 -0700 Subject: [PATCH 1/2] Add ability to append to lists. List nodes can now have an 'append' key. If present and true, any values in this list will be appended to the end of any existing list with the same name. It is an error to have a list with 'append' true that has a name that is not an existing list. --- userspace/engine/lua/rule_loader.lua | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/userspace/engine/lua/rule_loader.lua b/userspace/engine/lua/rule_loader.lua index 0f4d828e..7a2fe997 100644 --- a/userspace/engine/lua/rule_loader.lua +++ b/userspace/engine/lua/rule_loader.lua @@ -222,7 +222,24 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac end end - state.lists_by_name[v['list']] = v + -- Possibly append to an existing list + append = false + + if v['append'] then + append = v['append'] + end + + if append then + if state.lists_by_name[v['list']] == nil then + error ("List " ..v['list'].. " has 'append' key but no list by that name already exists") + end + + for i, elem in ipairs(v['items']) do + table.insert(state.lists_by_name[v['list']]['items'], elem) + end + else + state.lists_by_name[v['list']] = v + end elseif (v['rule']) then From 0bc2d4f162ce75b87e835676b936a40d862f2ead Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 9 Aug 2017 16:47:53 -0700 Subject: [PATCH 2/2] Automated tests for list append. Test the case of appending to a list and appending to a nonexistent list (should error). --- test/falco_tests.yaml | 20 ++++++++++++++++++++ test/rules/list_append.yaml | 12 ++++++++++++ test/rules/list_append_failure.yaml | 3 +++ test/rules/list_append_false.yaml | 12 ++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 test/rules/list_append.yaml create mode 100644 test/rules/list_append_failure.yaml create mode 100644 test/rules/list_append_false.yaml diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index 951f0eea..e887ee7d 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -579,3 +579,23 @@ trace_files: !mux - open_11: 1 - open_12: 0 - open_13: 0 + + list_append_failure: + exit_status: 1 + stderr_contains: "List my_list has 'append' key but no list by that name already exists. Exiting" + rules_file: + - rules/list_append_failure.yaml + trace_file: trace_files/cat_write.scap + + list_append: + detect: True + detect_level: WARNING + rules_file: + - rules/list_append.yaml + trace_file: trace_files/cat_write.scap + + list_append_false: + detect: False + rules_file: + - rules/list_append_false.yaml + trace_file: trace_files/cat_write.scap diff --git a/test/rules/list_append.yaml b/test/rules/list_append.yaml new file mode 100644 index 00000000..064f12a6 --- /dev/null +++ b/test/rules/list_append.yaml @@ -0,0 +1,12 @@ +- list: my_list + items: [not-cat] + +- list: my_list + append: true + items: [cat] + +- rule: Open From Cat + desc: A process named cat does an open + condition: evt.type=open and proc.name in (my_list) + output: "An open was seen (command=%proc.cmdline)" + priority: WARNING \ No newline at end of file diff --git a/test/rules/list_append_failure.yaml b/test/rules/list_append_failure.yaml new file mode 100644 index 00000000..11bc54ac --- /dev/null +++ b/test/rules/list_append_failure.yaml @@ -0,0 +1,3 @@ +- list: my_list + items: [not-cat] + append: true diff --git a/test/rules/list_append_false.yaml b/test/rules/list_append_false.yaml new file mode 100644 index 00000000..02d3fa79 --- /dev/null +++ b/test/rules/list_append_false.yaml @@ -0,0 +1,12 @@ +- list: my_list + items: [cat] + +- list: my_list + append: false + items: [not-cat] + +- rule: Open From Cat + desc: A process named cat does an open + condition: evt.type=open and proc.name in (my_list) + output: "An open was seen (command=%proc.cmdline)" + priority: WARNING \ No newline at end of file