mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-22 03:49:36 +00:00
Add tests for event type rule identification
Add tests that verify that the event type identification functionality
is working. Notable changes:
- Modify falco_test.py to additionally check for warnings when loading
any set of rules and verify that the event types for each rule match
expected values. This is controlled by the new multiplex fields
"rules_warning" and "rules_events".
- Instead of starting with an empty falco_tests.yaml from scratch from
the downloaded trace files, use a checked-in version which defines
two tests:
- Loading the checked-in falco_rules.yaml and verify that no rules
have warnings.
- A sample falco_rules_warnings.yaml that has ~30 different
mutations of rule filtering expressions. The test verifies for each
rule whether or not the rule should result in a warning and what the
extracted event types are.
The generated tests from the trace files are appended to this file.
- Add an empty .scap file to use with the above tests.
This commit is contained in:
Mark Stemm
@@ -36,7 +36,7 @@ EOF
|
||||
}
|
||||
|
||||
function prepare_multiplex_file() {
|
||||
echo "trace_files: !mux" > $MULT_FILE
|
||||
cp $SCRIPTDIR/falco_tests.yaml.in $MULT_FILE
|
||||
|
||||
prepare_multiplex_fileset traces-positive True Warning False
|
||||
prepare_multiplex_fileset traces-negative False Warning True
|
||||
|
||||
Reference in New Issue
Block a user