From 9cb25be5bdeca6591da3b2d621bb3eb5adc16b56 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 13 Oct 2020 11:20:12 -0700 Subject: [PATCH] Squash w/ test commit. --- test/falco_tests_exceptions.yaml | 14 +++++++ .../rule_exception_single_field.yaml | 30 +++++++++++++++ .../rule_exception_single_field_append.yaml | 37 +++++++++++++++++++ 3 files changed, 81 insertions(+) create mode 100644 test/rules/exceptions/rule_exception_single_field.yaml create mode 100644 test/rules/exceptions/rule_exception_single_field_append.yaml diff --git a/test/falco_tests_exceptions.yaml b/test/falco_tests_exceptions.yaml index f9f8f576..02844c55 100644 --- a/test/falco_tests_exceptions.yaml +++ b/test/falco_tests_exceptions.yaml @@ -306,4 +306,18 @@ trace_files: !mux - rules/exceptions/rule_exception_values_list.yaml trace_file: trace_files/cat_write.scap + rule_exception_single_field: + detect: False + detect_level: WARNING + rules_file: + - rules/exceptions/rule_exception_single_field.yaml + trace_file: trace_files/cat_write.scap + + rule_exception_single_field_append: + detect: False + detect_level: WARNING + rules_file: + - rules/exceptions/rule_exception_single_field_append.yaml + trace_file: trace_files/cat_write.scap + diff --git a/test/rules/exceptions/rule_exception_single_field.yaml b/test/rules/exceptions/rule_exception_single_field.yaml new file mode 100644 index 00000000..d3533073 --- /dev/null +++ b/test/rules/exceptions/rule_exception_single_field.yaml @@ -0,0 +1,30 @@ +# +# Copyright (C) 2020 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +- rule: Open From Cat + desc: A process named cat does an open + condition: evt.type=open and proc.name=cat + output: "An open was seen (command=%proc.cmdline)" + exceptions: + - name: proc_cmdline + fields: proc.cmdline + comps: in + values: + - cat /dev/zero + - "cat /dev/null" + priority: WARNING + diff --git a/test/rules/exceptions/rule_exception_single_field_append.yaml b/test/rules/exceptions/rule_exception_single_field_append.yaml new file mode 100644 index 00000000..1695bf7e --- /dev/null +++ b/test/rules/exceptions/rule_exception_single_field_append.yaml @@ -0,0 +1,37 @@ +# +# Copyright (C) 2020 The Falco Authors. +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +- rule: Open From Cat + desc: A process named cat does an open + condition: evt.type=open and proc.name=cat + output: "An open was seen (command=%proc.cmdline)" + exceptions: + - name: proc_cmdline + fields: proc.cmdline + comps: in + values: + - cat /dev/zero + priority: WARNING + +- rule: Open From Cat + exceptions: + - name: proc_cmdline + values: + - "cat /dev/null" + append: true + +