mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-07 17:54:07 +00:00
chore(falco): apply code formatting
Signed-off-by: Poiana <poiana.bot@gmail.com>
This commit is contained in:
Poiana
poiana
@@ -3,14 +3,14 @@
|
||||
#include "../test_falco_engine.h"
|
||||
#include "yaml_helper.h"
|
||||
|
||||
#define ASSERT_VALIDATION_STATUS(status) ASSERT_TRUE(sinsp_utils::startswith(m_load_result->schema_validation(), status))
|
||||
#define ASSERT_VALIDATION_STATUS(status) \
|
||||
ASSERT_TRUE(sinsp_utils::startswith(m_load_result->schema_validation(), status))
|
||||
|
||||
std::string s_sample_ruleset = "sample-ruleset";
|
||||
std::string s_sample_source = falco_common::syscall_source;
|
||||
|
||||
TEST_F(test_falco_engine, list_append)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_append) {
|
||||
std::string rules_content = R"END(
|
||||
- list: shell_binaries
|
||||
items: [ash, bash, csh, ksh, sh, tcsh, zsh, dash]
|
||||
|
||||
@@ -28,12 +28,13 @@ TEST_F(test_falco_engine, list_append)
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"),"(evt.type = open and proc.name in (ash, bash, csh, ksh, sh, tcsh, zsh, dash, pwsh))");
|
||||
ASSERT_EQ(
|
||||
get_compiled_rule_condition("legit_rule"),
|
||||
"(evt.type = open and proc.name in (ash, bash, csh, ksh, sh, tcsh, zsh, dash, pwsh))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, condition_append)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, condition_append) {
|
||||
std::string rules_content = R"END(
|
||||
- macro: interactive
|
||||
condition: >
|
||||
((proc.aname=sshd and proc.name != sshd) or
|
||||
@@ -53,12 +54,13 @@ TEST_F(test_falco_engine, condition_append)
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "legit_rules.yaml")) << m_load_result_string;
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"),"(evt.type = open and (((proc.aname = sshd and proc.name != sshd) or proc.name = systemd-logind or proc.name = login) or proc.name = ssh))");
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"),
|
||||
"(evt.type = open and (((proc.aname = sshd and proc.name != sshd) or proc.name = "
|
||||
"systemd-logind or proc.name = login) or proc.name = ssh))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_append)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_append) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: legit_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type=open
|
||||
@@ -84,18 +86,17 @@ TEST_F(test_falco_engine, rule_override_append)
|
||||
|
||||
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["condition"].template get<std::string>(),
|
||||
"evt.type=open and proc.name = cat");
|
||||
"evt.type=open and proc.name = cat");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["output"].template get<std::string>(),
|
||||
"user=%user.name command=%proc.cmdline file=%fd.name proc=%proc.name");
|
||||
"user=%user.name command=%proc.cmdline file=%fd.name proc=%proc.name");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["description"].template get<std::string>(),
|
||||
"legit rule description with append");
|
||||
"legit rule description with append");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_append)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_append) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: legit_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type=open
|
||||
@@ -113,12 +114,11 @@ TEST_F(test_falco_engine, rule_append)
|
||||
// We should have at least one warning because the 'append' flag is deprecated.
|
||||
ASSERT_TRUE(check_warning_message(WARNING_APPEND));
|
||||
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"),"(evt.type = open and proc.name = cat)");
|
||||
ASSERT_EQ(get_compiled_rule_condition("legit_rule"), "(evt.type = open and proc.name = cat)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_replace)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_replace) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: legit_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type=open
|
||||
@@ -139,18 +139,17 @@ TEST_F(test_falco_engine, rule_override_replace)
|
||||
|
||||
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["condition"].template get<std::string>(),
|
||||
"evt.type = close");
|
||||
"evt.type = close");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["output"].template get<std::string>(),
|
||||
"user=%user.name command=%proc.cmdline file=%fd.name");
|
||||
"user=%user.name command=%proc.cmdline file=%fd.name");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["description"].template get<std::string>(),
|
||||
"a replaced legit description");
|
||||
"a replaced legit description");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_append_replace)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_append_replace) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: legit_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type = close
|
||||
@@ -173,21 +172,20 @@ TEST_F(test_falco_engine, rule_override_append_replace)
|
||||
|
||||
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["condition"].template get<std::string>(),
|
||||
"evt.type = close and proc.name = cat");
|
||||
"evt.type = close and proc.name = cat");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["output"].template get<std::string>(),
|
||||
"user=%user.name command=%proc.cmdline file=%fd.name");
|
||||
"user=%user.name command=%proc.cmdline file=%fd.name");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["description"].template get<std::string>(),
|
||||
"a replaced legit description");
|
||||
"a replaced legit description");
|
||||
|
||||
ASSERT_EQ(rule_description["rules"][0]["info"]["priority"].template get<std::string>(),
|
||||
"Warning");
|
||||
"Warning");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_incorrect_override_type)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_incorrect_override_type) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: failing_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type = close
|
||||
@@ -207,12 +205,12 @@ TEST_F(test_falco_engine, rule_incorrect_override_type)
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("Key 'priority' cannot be appended to, use 'replace' instead"));
|
||||
ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["context"]["snippet"]).find("priority: append") != std::string::npos);
|
||||
ASSERT_TRUE(std::string(m_load_result_json["errors"][0]["context"]["snippet"])
|
||||
.find("priority: append") != std::string::npos);
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_incorrect_append_override)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_incorrect_append_override) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: failing_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type = close
|
||||
@@ -230,16 +228,15 @@ TEST_F(test_falco_engine, rule_incorrect_append_override)
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
|
||||
|
||||
// We should have at least one warning because the 'append' flag is deprecated.
|
||||
ASSERT_TRUE(check_warning_message(WARNING_APPEND));
|
||||
|
||||
|
||||
ASSERT_TRUE(check_error_message(ERROR_OVERRIDE_APPEND));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, macro_override_append_before_macro_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, macro_override_append_before_macro_definition) {
|
||||
std::string rules_content = R"END(
|
||||
|
||||
- macro: open_simple
|
||||
condition: or evt.type = openat2
|
||||
@@ -263,9 +260,8 @@ TEST_F(test_falco_engine, macro_override_append_before_macro_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_MACRO));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, macro_override_replace_before_macro_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, macro_override_replace_before_macro_definition) {
|
||||
std::string rules_content = R"END(
|
||||
|
||||
- macro: open_simple
|
||||
condition: or evt.type = openat2
|
||||
@@ -286,12 +282,11 @@ TEST_F(test_falco_engine, macro_override_replace_before_macro_definition)
|
||||
// The first override defines a macro that is overridden by the second macro definition
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"evt.type in (open, openat)");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"), "evt.type in (open, openat)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, macro_append_before_macro_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, macro_append_before_macro_definition) {
|
||||
std::string rules_content = R"END(
|
||||
|
||||
- macro: open_simple
|
||||
condition: or evt.type = openat2
|
||||
@@ -314,9 +309,8 @@ TEST_F(test_falco_engine, macro_append_before_macro_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_MACRO));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, macro_override_append_after_macro_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, macro_override_append_after_macro_definition) {
|
||||
std::string rules_content = R"END(
|
||||
|
||||
- macro: open_simple
|
||||
condition: evt.type in (open,openat)
|
||||
@@ -337,12 +331,12 @@ TEST_F(test_falco_engine, macro_override_append_after_macro_definition)
|
||||
// We cannot define a macro override before the macro definition.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) or evt.type = openat2)");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type in (open, openat) or evt.type = openat2)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, macro_append_after_macro_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, macro_append_after_macro_definition) {
|
||||
std::string rules_content = R"END(
|
||||
|
||||
- macro: open_simple
|
||||
condition: evt.type in (open,openat)
|
||||
@@ -362,12 +356,12 @@ TEST_F(test_falco_engine, macro_append_after_macro_definition)
|
||||
// We cannot define a macro override before the macro definition.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) or evt.type = openat2)");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type in (open, openat) or evt.type = openat2)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_append_before_rule_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_append_before_rule_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
condition: and proc.name = cat
|
||||
override:
|
||||
@@ -386,9 +380,8 @@ TEST_F(test_falco_engine, rule_override_append_before_rule_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_APPEND));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_replace_before_rule_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_replace_before_rule_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
condition: and proc.name = cat
|
||||
override:
|
||||
@@ -407,9 +400,8 @@ TEST_F(test_falco_engine, rule_override_replace_before_rule_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_REPLACE));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_append_before_rule_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_append_before_rule_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
condition: and proc.name = cat
|
||||
append: true
|
||||
@@ -427,9 +419,8 @@ TEST_F(test_falco_engine, rule_append_before_rule_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_RULE_APPEND));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_append_after_rule_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_append_after_rule_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: simple rule
|
||||
condition: evt.type in (open,openat)
|
||||
@@ -444,12 +435,12 @@ TEST_F(test_falco_engine, rule_override_append_after_rule_definition)
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) and proc.name = cat)");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type in (open, openat) and proc.name = cat)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_append_after_rule_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_append_after_rule_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: simple rule
|
||||
condition: evt.type in (open,openat)
|
||||
@@ -463,14 +454,14 @@ TEST_F(test_falco_engine, rule_append_after_rule_definition)
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type in (open, openat) and proc.name = cat)");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type in (open, openat) and proc.name = cat)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_override_append_wrong_key)
|
||||
{
|
||||
TEST_F(test_falco_engine, list_override_append_wrong_key) {
|
||||
// todo: maybe we want to manage some non-existent keys
|
||||
// Please note how the non-existent key 'non-existent keys' is ignored.
|
||||
std::string rules_content = R"END(
|
||||
std::string rules_content = R"END(
|
||||
- list: dev_creation_binaries
|
||||
items: ["csi-provisioner", "csi-attacher"]
|
||||
override_written_wrong:
|
||||
@@ -488,16 +479,16 @@ TEST_F(test_falco_engine, list_override_append_wrong_key)
|
||||
)END";
|
||||
|
||||
// Since there is a wrong key in the first list definition the `override` is not
|
||||
// considered. so in this situation, we are defining the list 2 times. The
|
||||
// considered. so in this situation, we are defining the list 2 times. The
|
||||
// second one overrides the first one.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid))");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = execve and proc.name in (blkid))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_override_append_before_list_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_override_append_before_list_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- list: dev_creation_binaries
|
||||
items: ["csi-provisioner", "csi-attacher"]
|
||||
override:
|
||||
@@ -520,9 +511,8 @@ TEST_F(test_falco_engine, list_override_append_before_list_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_LIST));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_override_replace_before_list_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_override_replace_before_list_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- list: dev_creation_binaries
|
||||
items: ["csi-provisioner", "csi-attacher"]
|
||||
override:
|
||||
@@ -542,12 +532,12 @@ TEST_F(test_falco_engine, list_override_replace_before_list_definition)
|
||||
// With override replace we define a first list that then is overridden by the second one.
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid))");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = execve and proc.name in (blkid))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_append_before_list_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_append_before_list_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- list: dev_creation_binaries
|
||||
items: ["csi-provisioner", "csi-attacher"]
|
||||
append: true
|
||||
@@ -569,9 +559,8 @@ TEST_F(test_falco_engine, list_append_before_list_definition)
|
||||
ASSERT_TRUE(check_error_message(ERROR_NO_PREVIOUS_LIST));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_override_append_after_list_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_override_append_after_list_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- list: dev_creation_binaries
|
||||
items: [blkid]
|
||||
|
||||
@@ -590,12 +579,12 @@ TEST_F(test_falco_engine, list_override_append_after_list_definition)
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid, csi-provisioner, csi-attacher))");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = execve and proc.name in (blkid, csi-provisioner, csi-attacher))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_append_after_list_definition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_append_after_list_definition) {
|
||||
std::string rules_content = R"END(
|
||||
- list: dev_creation_binaries
|
||||
items: [blkid]
|
||||
|
||||
@@ -612,12 +601,12 @@ TEST_F(test_falco_engine, list_append_after_list_definition)
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"(evt.type = execve and proc.name in (blkid, csi-provisioner, csi-attacher))");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = execve and proc.name in (blkid, csi-provisioner, csi-attacher))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_without_field)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_without_field) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: failing_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type = close
|
||||
@@ -633,12 +622,12 @@ TEST_F(test_falco_engine, rule_override_without_field)
|
||||
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_error_message("An append override for 'condition' was specified but 'condition' is not defined"));
|
||||
ASSERT_TRUE(check_error_message(
|
||||
"An append override for 'condition' was specified but 'condition' is not defined"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_extra_field)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_extra_field) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: failing_rule
|
||||
desc: legit rule description
|
||||
condition: evt.type = close
|
||||
@@ -659,9 +648,8 @@ TEST_F(test_falco_engine, rule_override_extra_field)
|
||||
ASSERT_TRUE(check_error_message("Unexpected key 'priority'"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, missing_enabled_key_with_override)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, missing_enabled_key_with_override) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule description
|
||||
condition: evt.type = close
|
||||
@@ -684,9 +672,8 @@ TEST_F(test_falco_engine, missing_enabled_key_with_override)
|
||||
ASSERT_TRUE(check_error_message("'enabled' was specified but 'enabled' is not defined"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_with_enabled)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_with_enabled) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule description
|
||||
condition: evt.type = close
|
||||
@@ -711,9 +698,8 @@ TEST_F(test_falco_engine, rule_override_with_enabled)
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_override_exceptions_required_fields)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_override_exceptions_required_fields) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule description
|
||||
condition: evt.type = close
|
||||
@@ -745,12 +731,12 @@ TEST_F(test_falco_engine, rule_override_exceptions_required_fields)
|
||||
ASSERT_FALSE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
ASSERT_TRUE(check_error_message("Item has no mapping for key 'fields'")) << m_load_result_json.dump();
|
||||
ASSERT_TRUE(check_error_message("Item has no mapping for key 'fields'"))
|
||||
<< m_load_result_json.dump();
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_not_enabled)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_not_enabled) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: rule not enabled
|
||||
condition: evt.type = close
|
||||
@@ -765,9 +751,8 @@ TEST_F(test_falco_engine, rule_not_enabled)
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 0);
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, rule_enabled_warning)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_enabled_warning) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule description
|
||||
condition: evt.type = close
|
||||
@@ -787,9 +772,8 @@ TEST_F(test_falco_engine, rule_enabled_warning)
|
||||
}
|
||||
|
||||
// todo!: Probably we shouldn't allow this syntax
|
||||
TEST_F(test_falco_engine, rule_enabled_is_ignored_by_append)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rule_enabled_is_ignored_by_append) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule description
|
||||
condition: evt.type = close
|
||||
@@ -811,9 +795,8 @@ TEST_F(test_falco_engine, rule_enabled_is_ignored_by_append)
|
||||
}
|
||||
|
||||
// todo!: Probably we shouldn't allow this syntax
|
||||
TEST_F(test_falco_engine, rewrite_rule)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, rewrite_rule) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule description
|
||||
condition: evt.type = close
|
||||
@@ -835,12 +818,11 @@ TEST_F(test_falco_engine, rewrite_rule)
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
// In this case the rule is completely overridden but this syntax is not supported.
|
||||
EXPECT_EQ(num_rules_for_ruleset(), 1);
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"proc.name = cat");
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"), "proc.name = cat");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, required_engine_version_semver)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, required_engine_version_semver) {
|
||||
std::string rules_content = R"END(
|
||||
- required_engine_version: 0.26.0
|
||||
|
||||
- rule: test_rule
|
||||
@@ -857,9 +839,8 @@ TEST_F(test_falco_engine, required_engine_version_semver)
|
||||
ASSERT_FALSE(has_warnings());
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, required_engine_version_not_semver)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, required_engine_version_not_semver) {
|
||||
std::string rules_content = R"END(
|
||||
- required_engine_version: 26
|
||||
|
||||
- rule: test_rule
|
||||
@@ -876,9 +857,8 @@ TEST_F(test_falco_engine, required_engine_version_not_semver)
|
||||
ASSERT_FALSE(has_warnings());
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, required_engine_version_invalid)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, required_engine_version_invalid) {
|
||||
std::string rules_content = R"END(
|
||||
- required_engine_version: seven
|
||||
|
||||
- rule: test_rule
|
||||
@@ -896,9 +876,8 @@ TEST_F(test_falco_engine, required_engine_version_invalid)
|
||||
}
|
||||
|
||||
// checks for issue described in https://github.com/falcosecurity/falco/pull/3028
|
||||
TEST_F(test_falco_engine, list_value_with_escaping)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_value_with_escaping) {
|
||||
std::string rules_content = R"END(
|
||||
- list: my_list
|
||||
items: [non_escaped_val, "escaped val"]
|
||||
)END";
|
||||
@@ -906,7 +885,7 @@ TEST_F(test_falco_engine, list_value_with_escaping)
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(m_load_result->successful());
|
||||
ASSERT_TRUE(m_load_result->has_warnings()); // a warning for the unused list
|
||||
ASSERT_TRUE(m_load_result->has_warnings()); // a warning for the unused list
|
||||
|
||||
auto rule_description = m_engine->describe_rule(nullptr, {});
|
||||
ASSERT_TRUE(m_load_result->successful());
|
||||
@@ -919,13 +898,16 @@ TEST_F(test_falco_engine, list_value_with_escaping)
|
||||
|
||||
// values should be escaped correctly
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"].size(), 2);
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0].template get<std::string>(), "non_escaped_val");
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1].template get<std::string>(), "escaped val");
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][0]
|
||||
.template get<std::string>(),
|
||||
"non_escaped_val");
|
||||
ASSERT_EQ(rule_description["lists"][0]["details"]["items_compiled"][1]
|
||||
.template get<std::string>(),
|
||||
"escaped val");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_condition)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, exceptions_condition) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule
|
||||
condition: proc.cmdline contains curl or proc.cmdline contains wget
|
||||
@@ -939,26 +921,27 @@ TEST_F(test_falco_engine, exceptions_condition)
|
||||
- [curl 127.0.0.1]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),"((proc.cmdline contains curl or proc.cmdline contains wget) and not proc.cmdline contains \"curl 127.0.0.1\")");
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"((proc.cmdline contains curl or proc.cmdline contains wget) and not proc.cmdline "
|
||||
"contains \"curl 127.0.0.1\")");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, macro_name_invalid)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, macro_name_invalid) {
|
||||
std::string rules_content = R"END(
|
||||
- macro: test-macro
|
||||
condition: evt.type = close
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Macro has an invalid name. Macro names should match a regular expression"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message(
|
||||
"Macro has an invalid name. Macro names should match a regular expression"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, list_name_invalid)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, list_name_invalid) {
|
||||
std::string rules_content = R"END(
|
||||
- list: test list
|
||||
items: [open, openat, openat2]
|
||||
|
||||
@@ -971,16 +954,16 @@ TEST_F(test_falco_engine, list_name_invalid)
|
||||
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("List has an invalid name. List names should match a regular expression"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message(
|
||||
"List has an invalid name. List names should match a regular expression"));
|
||||
}
|
||||
|
||||
// The appended exception has a purposely miswritten field (value),
|
||||
// simulating a typo or an incorrect usage.
|
||||
TEST_F(test_falco_engine, exceptions_append_no_values)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, exceptions_append_no_values) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule
|
||||
condition: proc.cmdline contains curl
|
||||
@@ -1000,14 +983,13 @@ TEST_F(test_falco_engine, exceptions_append_no_values)
|
||||
append: true
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Overriding/appending exception with no values"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Overriding/appending exception with no values"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_override_no_values)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, exceptions_override_no_values) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule
|
||||
condition: proc.cmdline contains curl
|
||||
@@ -1028,14 +1010,13 @@ TEST_F(test_falco_engine, exceptions_override_no_values)
|
||||
exceptions: append
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Overriding/appending exception with no values"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_failed) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Overriding/appending exception with no values"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_names_not_unique)
|
||||
{
|
||||
std::string rules_content = R"END(
|
||||
TEST_F(test_falco_engine, exceptions_names_not_unique) {
|
||||
std::string rules_content = R"END(
|
||||
- rule: test_rule
|
||||
desc: test rule
|
||||
condition: proc.cmdline contains curl
|
||||
@@ -1054,9 +1035,9 @@ TEST_F(test_falco_engine, exceptions_names_not_unique)
|
||||
- [curl 127.0.0.1]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Multiple definitions of exception"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_TRUE(check_warning_message("Multiple definitions of exception"));
|
||||
}
|
||||
|
||||
static std::string s_exception_values_rule_base = R"END(
|
||||
@@ -1067,9 +1048,8 @@ static std::string s_exception_values_rule_base = R"END(
|
||||
priority: INFO
|
||||
)END";
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1078,15 +1058,16 @@ TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous)
|
||||
- [proc.pname]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)");
|
||||
EXPECT_TRUE(check_warning_message("'proc.pname' may be a valid field misused as a const string value"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = proc.pname)");
|
||||
EXPECT_TRUE(check_warning_message(
|
||||
"'proc.pname' may be a valid field misused as a const string value"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1095,15 +1076,16 @@ TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted)
|
||||
- ["proc.pname"]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)");
|
||||
EXPECT_TRUE(check_warning_message("'proc.pname' may be a valid field misused as a const string value"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = proc.pname)");
|
||||
EXPECT_TRUE(check_warning_message(
|
||||
"'proc.pname' may be a valid field misused as a const string value"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_quoted)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_quoted) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1112,15 +1094,16 @@ TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_quoted)
|
||||
- ["proc.pname "]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"proc.pname \")");
|
||||
EXPECT_TRUE(check_warning_message("'proc.pname ' may be a valid field misused as a const string value"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = \"proc.pname \")");
|
||||
EXPECT_TRUE(check_warning_message(
|
||||
"'proc.pname ' may be a valid field misused as a const string value"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_transformer)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_rhs_transformer) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1129,14 +1112,14 @@ TEST_F(test_falco_engine, exceptions_values_rhs_transformer)
|
||||
- [toupper(proc.pname)]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))");
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = toupper(proc.pname))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1145,14 +1128,14 @@ TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted)
|
||||
- ["toupper(proc.pname)"]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))");
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = toupper(proc.pname))");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_transformer_space)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_transformer_space) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1161,15 +1144,17 @@ TEST_F(test_falco_engine, exceptions_values_transformer_space)
|
||||
- [toupper( proc.pname)]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
|
||||
EXPECT_TRUE(check_warning_message("'toupper( proc.pname)' may be a valid field transformer misused as a const string value"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
|
||||
EXPECT_TRUE(
|
||||
check_warning_message("'toupper( proc.pname)' may be a valid field transformer misused "
|
||||
"as a const string value"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [proc.name]
|
||||
@@ -1178,15 +1163,17 @@ TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted)
|
||||
- ["toupper( proc.pname)"]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
|
||||
EXPECT_TRUE(check_warning_message("'toupper( proc.pname)' may be a valid field transformer misused as a const string value"));
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
|
||||
EXPECT_TRUE(
|
||||
check_warning_message("'toupper( proc.pname)' may be a valid field transformer misused "
|
||||
"as a const string value"));
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_fields_transformer)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_fields_transformer) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: [tolower(proc.name)]
|
||||
@@ -1195,15 +1182,15 @@ TEST_F(test_falco_engine, exceptions_fields_transformer)
|
||||
- [test]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
EXPECT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not tolower(proc.name) = test)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_fields_transformer_quoted)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_fields_transformer_quoted) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: ["tolower(proc.name)"]
|
||||
@@ -1212,15 +1199,15 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_quoted)
|
||||
- [test]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not tolower(proc.name) = test)");
|
||||
}
|
||||
|
||||
TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted)
|
||||
{
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
|
||||
auto rules_content = s_exception_values_rule_base + R"END(
|
||||
exceptions:
|
||||
- name: test_exception
|
||||
fields: ["tolower( proc.name)"]
|
||||
@@ -1229,8 +1216,9 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted)
|
||||
- [test]
|
||||
)END";
|
||||
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
|
||||
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
|
||||
ASSERT_VALIDATION_STATUS(yaml_helper::validation_ok) << m_load_result->schema_validation();
|
||||
ASSERT_FALSE(has_warnings());
|
||||
EXPECT_EQ(get_compiled_rule_condition("test_rule"),
|
||||
"(evt.type = open and not tolower(proc.name) = test)");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user