github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-30 08:32:12 +00:00
Code Issues Projects Releases Wiki Activity

Allow append skipped rules (#346)

Browse Source 
* Allow appending to skipped rules

If a rule has an append attribute but the original rule was skipped (due
to having lower priority than the configured priority), silently skip
the appending rule instead of returning an error.

* Unit test for appending to skipped rules

Unit test verifies fix for appending to skipped rules. One rules file
defines a rule with priority WARNING, a second rules file appends to
that rules file, and the configured priority is ERROR.

Ensures that falco rules without errors.
This commit is contained in:
Mark Stemm 2018-04-05 10:28:45 -07:00 committed by GitHub
parent a0053dba18
commit a5daf8b058
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
test/falco_tests.yaml
View File

@ -642,6 +642,14 @@ trace_files: !mux
- rules/rule_append_failure.yaml - rules/rule_append_failure.yaml
trace_file: trace_files/cat_write.scap trace_file: trace_files/cat_write.scap
rule_append_skipped:
detect: False
priority: ERROR
rules_file:
- rules/single_rule.yaml
- rules/append_single_rule.yaml
trace_file: trace_files/cat_write.scap
rule_append: rule_append:
detect: True detect: True
detect_level: WARNING detect_level: WARNING

3
test/rules/append_single_rule.yaml Normal file
View File

@ -0,0 +1,3 @@
- rule: open_from_cat
append: true
condition: and fd.name=/tmp

9
userspace/engine/lua/rule_loader.lua
View File

@ -132,7 +132,8 @@ end
-- object. The by_name index is used for things like describing rules, -- object. The by_name index is used for things like describing rules,
-- and the by_idx index is used to map the relational node index back -- and the by_idx index is used to map the relational node index back
-- to a rule. -- to a rule.
local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={}, macros_by_name={}, lists_by_name={}, local state = {macros={}, lists={}, filter_ast=nil, rules_by_name={},
skipped_rules_by_name={}, macros_by_name={}, lists_by_name={},
n_rules=0, rules_by_idx={}, ordered_rule_names={}, ordered_macro_names={}, ordered_list_names={}} n_rules=0, rules_by_idx={}, ordered_rule_names={}, ordered_macro_names={}, ordered_list_names={}}
local function reset_rules(rules_mgr) local function reset_rules(rules_mgr)
@ -291,10 +292,12 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
end end
if state.rules_by_name[v['rule']] == nil then if state.rules_by_name[v['rule']] == nil then
if state.skipped_rules_by_name[v['rule']] == nil then
error ("Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists") error ("Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
end end
else
state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition'] state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
end
else else
@ -320,6 +323,8 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac
v['output'] = compiler.trim(v['output']) v['output'] = compiler.trim(v['output'])
state.rules_by_name[v['rule']] = v state.rules_by_name[v['rule']] = v
else
state.skipped_rules_by_name[v['rule']] = v
end end
end end
else else