From 9ecdf30314b9aa90f37bda2abc3f46a91f03fd63 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Wed, 28 Dec 2016 15:19:59 -0800 Subject: [PATCH] tests for overriding rules/macros/lists New tests that test every possible override: - Overriding a rule with one that doesn't match - Overriding a macro to one that doesn't match - Overriding a top level list to a binary that doesn't match - Overriding an embedded list to one that doesn't match In each case, the override results in no longer matching an open by the program "cat". --- test/falco_tests.yaml.in | 28 ++++++++++++++++++++++++++++ test/rules/override_list.yaml | 2 ++ test/rules/override_macro.yaml | 2 ++ test/rules/override_nested_list.yaml | 2 ++ test/rules/override_rule.yaml | 5 +++++ test/rules/single_rule.yaml | 8 +++++++- 6 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 test/rules/override_list.yaml create mode 100644 test/rules/override_macro.yaml create mode 100644 test/rules/override_nested_list.yaml create mode 100644 test/rules/override_rule.yaml diff --git a/test/falco_tests.yaml.in b/test/falco_tests.yaml.in index 37fe61d3..8dca99d4 100644 --- a/test/falco_tests.yaml.in +++ b/test/falco_tests.yaml.in @@ -95,6 +95,34 @@ trace_files: !mux - rules/double_rule.yaml trace_file: trace_files/cat_write.scap + multiple_rules_overriding: + detect: False + rules_file: + - rules/single_rule.yaml + - rules/override_rule.yaml + trace_file: trace_files/cat_write.scap + + macro_overriding: + detect: False + rules_file: + - rules/single_rule.yaml + - rules/override_macro.yaml + trace_file: trace_files/cat_write.scap + + list_overriding: + detect: False + rules_file: + - rules/single_rule.yaml + - rules/override_list.yaml + trace_file: trace_files/cat_write.scap + + nested_list_overriding: + detect: False + rules_file: + - rules/single_rule.yaml + - rules/override_nested_list.yaml + trace_file: trace_files/cat_write.scap + invalid_rule_output: exit_status: 1 stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting." diff --git a/test/rules/override_list.yaml b/test/rules/override_list.yaml new file mode 100644 index 00000000..f5a8cfbb --- /dev/null +++ b/test/rules/override_list.yaml @@ -0,0 +1,2 @@ +- list: cat_capable_binaries + items: [not-cat] \ No newline at end of file diff --git a/test/rules/override_macro.yaml b/test/rules/override_macro.yaml new file mode 100644 index 00000000..676d0243 --- /dev/null +++ b/test/rules/override_macro.yaml @@ -0,0 +1,2 @@ +- macro: is_cat + condition: proc.name in (not-cat) diff --git a/test/rules/override_nested_list.yaml b/test/rules/override_nested_list.yaml new file mode 100644 index 00000000..4d1aebc0 --- /dev/null +++ b/test/rules/override_nested_list.yaml @@ -0,0 +1,2 @@ +- list: cat_binaries + items: [not-cat] \ No newline at end of file diff --git a/test/rules/override_rule.yaml b/test/rules/override_rule.yaml new file mode 100644 index 00000000..20a2191a --- /dev/null +++ b/test/rules/override_rule.yaml @@ -0,0 +1,5 @@ +- rule: open_from_cat + desc: A process named cat does an open + condition: evt.type=open and proc.name=not-cat + output: "An open was seen (command=%proc.cmdline)" + priority: WARNING \ No newline at end of file diff --git a/test/rules/single_rule.yaml b/test/rules/single_rule.yaml index 3044c6b8..ccba5ea9 100644 --- a/test/rules/single_rule.yaml +++ b/test/rules/single_rule.yaml @@ -1,5 +1,11 @@ +- list: cat_binaries + items: [cat] + +- list: cat_capable_binaries + items: [cat_binaries] + - macro: is_cat - condition: proc.name=cat + condition: proc.name in (cat_capable_binaries) - rule: open_from_cat desc: A process named cat does an open