Allow append skipped rules (#346)

* Allow appending to skipped rules If a rule has an append attribute but the original rule was skipped (due to having lower priority than the configured priority), silently skip the appending rule instead of returning an error. * Unit test for appending to skipped rules Unit test verifies fix for appending to skipped rules. One rules file defines a rule with priority WARNING, a second rules file appends to that rules file, and the configured priority is ERROR. Ensures that falco rules without errors.
2025-06-28 07:37:32 +00:00 · 2018-04-05 10:28:45 -07:00 · 2018-04-05 10:28:45 -07:00 · a5daf8b058
commit a5daf8b058
parent a0053dba18
3 changed files with 21 additions and 5 deletions
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@ -642,6 +642,14 @@ trace_files: !mux
      - rules/rule_append_failure.yaml
    trace_file: trace_files/cat_write.scap

+  rule_append_skipped:
+    detect: False
+    priority: ERROR
+    rules_file:
+      - rules/single_rule.yaml
+      - rules/append_single_rule.yaml
+    trace_file: trace_files/cat_write.scap
+
  rule_append:
    detect: True
    detect_level: WARNING
@ -670,4 +678,4 @@ trace_files: !mux
    detect_level: INFO
    rules_file:
      - rules/detect_connect_using_in.yaml
-    trace_file: trace_files/connect_localhost.scap
+    trace_file: trace_files/connect_localhost.scap
--- a/test/rules/append_single_rule.yaml
+++ b/test/rules/append_single_rule.yaml
@ -0,0 +1,3 @@
+- rule: open_from_cat
+  append: true
+  condition: and fd.name=/tmp
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@ -132,7 +132,8 @@ end
 -- object. The by_name index is used for things like describing rules,
 -- and the by_idx index is used to map the relational node index back
 -- to a rule.
-local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={}, macros_by_name={}, lists_by_name={},
+local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={},
+	       skipped_rules_by_name={}, macros_by_name={}, lists_by_name={},
 	       n_rules=0, rules_by_idx={}, ordered_rule_names={}, ordered_macro_names={}, ordered_list_names={}}

 local function reset_rules(rules_mgr)
@ -291,11 +292,13 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
 	    end

 	    if state.rules_by_name[v['rule']] == nil then
-	       error ("Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
+	       if state.skipped_rules_by_name[v['rule']] == nil then
+		  error ("Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
+	       end
+	    else
+	       state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
 	    end

-	    state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
-
 	 else

 	    for i, field in ipairs({'condition', 'output', 'desc', 'priority'}) do
@ -320,6 +323,8 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
 	       v['output'] = compiler.trim(v['output'])

 	       state.rules_by_name[v['rule']] = v
+	    else
+	       state.skipped_rules_by_name[v['rule']] = v
 	    end
 	 end
      else