diff --git a/test/confs/file_output.yaml b/test/confs/file_output.yaml new file mode 100644 index 00000000..9e35aa82 --- /dev/null +++ b/test/confs/file_output.yaml @@ -0,0 +1,27 @@ +# File containing Falco rules, loaded at startup. +rules_file: /etc/falco_rules.yaml + +# Whether to output events in json or text +json_output: false + +# Send information logs to stderr and/or syslog Note these are *not* security +# notification logs! These are just Falco lifecycle (and possibly error) logs. +log_stderr: false +log_syslog: false + +# Where security notifications should go. +# Multiple outputs can be enabled. + +syslog_output: + enabled: false + +file_output: + enabled: true + filename: /tmp/falco_outputs/file_output.txt + +stdout_output: + enabled: true + +program_output: + enabled: false + program: mail -s "Falco Notification" someone@example.com diff --git a/test/confs/program_output.yaml b/test/confs/program_output.yaml new file mode 100644 index 00000000..85cc017b --- /dev/null +++ b/test/confs/program_output.yaml @@ -0,0 +1,27 @@ +# File containing Falco rules, loaded at startup. +rules_file: /etc/falco_rules.yaml + +# Whether to output events in json or text +json_output: false + +# Send information logs to stderr and/or syslog Note these are *not* security +# notification logs! These are just Falco lifecycle (and possibly error) logs. +log_stderr: false +log_syslog: false + +# Where security notifications should go. +# Multiple outputs can be enabled. + +syslog_output: + enabled: false + +file_output: + enabled: false + filename: ./output.txt + +stdout_output: + enabled: true + +program_output: + enabled: true + program: cat > /tmp/falco_outputs/program_output.txt diff --git a/test/falco_test.py b/test/falco_test.py index 66eff585..2c0131c7 100644 --- a/test/falco_test.py +++ b/test/falco_test.py @@ -36,6 +36,10 @@ class FalcoTest(Test): file = os.path.join(self.basedir, file) self.rules_args = self.rules_args + "-r " + file + " " + self.conf_file = self.params.get('conf_file', '*', default=os.path.join(self.basedir, '../falco.yaml')) + if not os.path.isabs(self.conf_file): + self.conf_file = os.path.join(self.basedir, self.conf_file) + self.disabled_rules = self.params.get('disabled_rules', '*', default='') if self.disabled_rules == '': @@ -82,6 +86,20 @@ class FalcoTest(Test): self.str_variant = self.trace_file + self.outputs = self.params.get('outputs', '*', default='') + + if self.outputs == '': + self.outputs = {} + else: + outputs = [] + for item in self.outputs: + for item2 in item: + output = {} + output['file'] = item2[0] + output['line'] = item2[1] + outputs.append(output) + self.outputs = outputs + def check_rules_warnings(self, res): found_warning = sets.Set() @@ -140,6 +158,23 @@ class FalcoTest(Test): if not events_detected > 0: self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level)) + def check_outputs(self): + for output in self.outputs: + # Open the provided file and match each line against the + # regex in line. + file = open(output['file'], 'r') + found = False + for line in file: + match = re.search(output['line'], line) + + if match is not None: + found = True + + if found == False: + self.fail("Could not find a line '{}' in file '{}'".format(output['line'], output['file'])) + + return True + def check_json_output(self, res): if self.json_output: # Just verify that any lines starting with '{' are valid json objects. @@ -155,8 +190,8 @@ class FalcoTest(Test): self.log.info("Trace file %s", self.trace_file) # Run the provided trace file though falco - cmd = '{}/userspace/falco/falco {} {} -c {}/../falco.yaml -e {} -o json_output={} -v'.format( - self.falcodir, self.rules_args, self.disabled_args, self.falcodir, self.trace_file, self.json_output) + cmd = '{}/userspace/falco/falco {} {} -c {} -e {} -o json_output={} -v'.format( + self.falcodir, self.rules_args, self.disabled_args, self.conf_file, self.trace_file, self.json_output) self.falco_proc = process.SubProcess(cmd) @@ -171,6 +206,7 @@ class FalcoTest(Test): self.check_rules_events(res) self.check_detections(res) self.check_json_output(res) + self.check_outputs() pass diff --git a/test/falco_tests.yaml.in b/test/falco_tests.yaml.in index 77d15b8e..793446c6 100644 --- a/test/falco_tests.yaml.in +++ b/test/falco_tests.yaml.in @@ -112,3 +112,23 @@ trace_files: !mux disabled_rules: - "open.*" trace_file: trace_files/cat_write.scap + + file_output: + detect: True + detect_level: WARNING + rules_file: + - rules/single_rule.yaml + conf_file: confs/file_output.yaml + trace_file: trace_files/cat_write.scap + outputs: + - /tmp/falco_outputs/file_output.txt: Warning An open was seen + + program_output: + detect: True + detect_level: WARNING + rules_file: + - rules/single_rule.yaml + conf_file: confs/program_output.yaml + trace_file: trace_files/cat_write.scap + outputs: + - /tmp/falco_outputs/program_output.txt: Warning An open was seen diff --git a/test/run_regression_tests.sh b/test/run_regression_tests.sh index dd06ca0c..2b707fe5 100755 --- a/test/run_regression_tests.sh +++ b/test/run_regression_tests.sh @@ -50,6 +50,8 @@ function prepare_multiplex_file() { } function run_tests() { + rm -rf /tmp/falco_outputs + mkdir /tmp/falco_outputs CMD="avocado run --multiplex $MULT_FILE --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py" echo "Running: $CMD" $CMD