Add tests for multiple files, disabled rules.

Add test that cover reading from multiple sets of rule files and disabling rules. Specific changes: - Modify falco to allow multiple -r arguments to read from multiple files. - In the test multiplex file, add a disabled_rules attribute, containing a sequence of rules to disable. Result in -D arguments when running falco. - In the test multiplex file, 'rules_file' can be a sequence. It results in multiple -r arguments when running falco. - In the test multiplex file, 'detect_level' can be a squence of multiple severity levels. All levels will be checked for in the output. - Move all test rules files to a rules subdirectory and all trace files to a traces subdirectory. - Add a small trace file for a simple cat of /dev/null. Used by the new tests. - Add the following new tests: - Reading from multiple files, with the first file being empty. Ensure that the rules from the second file are properly loaded. - Reading from multiple files with the last being empty. Ensures that the empty file doesn't overwrite anything from the first file. - Reading from multiple files with varying severity levels for each rule. Ensures that both files are properly read. - Disabling rules from a rules file, both with full rule names and regexes. Will result in not detecting anything.
2025-09-13 13:32:50 +00:00 · 2016-08-04 12:01:54 -07:00
parent 3fbcb35e91
commit c140b23678
11 changed files with 119 additions and 23 deletions
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -33,7 +33,7 @@ void falco_configuration::init(string conf_filename, list<string> &cmdline_optio

 	init_cmdline_options(cmdline_options);

-	m_rules_filename = m_config->get_scalar<string>("rules_file", "/etc/falco_rules.yaml");
+	m_rules_filenames.push_back(m_config->get_scalar<string>("rules_file", "/etc/falco_rules.yaml"));
 	m_json_output = m_config->get_scalar<bool>("json_output", false);

 	falco_outputs::output_config file_output;
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@@ -123,7 +123,7 @@ class falco_configuration
 	void init(std::string conf_filename, std::list<std::string> &cmdline_options);
 	void init(std::list<std::string> &cmdline_options);

-	std::string m_rules_filename;
+	std::list<std::string> m_rules_filenames;
 	bool m_json_output;
 	std::vector<falco_outputs::output_config> m_outputs;
 private:
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -2,6 +2,9 @@

 #include <stdio.h>
 #include <fstream>
+#include <set>
+#include <list>
+#include <string>
 #include <signal.h>
 #include <fcntl.h>
 #include <sys/stat.h>
@@ -41,6 +44,7 @@ static void usage()
 	   " -p, --pidfile <pid_file>      When run as a daemon, write pid to specified file\n"
           " -e <events_file>              Read the events from <events_file> (in .scap format) instead of tapping into live.\n"
           " -r <rules_file>               Rules file (defaults to value set in configuration file, or /etc/falco_rules.yaml).\n"
+	   "                               Can be specified multiple times to read from multiple files.\n"
 	   " -D <pattern>                  Disable any rules matching the regex <pattern>. Can be specified multiple times.\n"
 	   " -L                            Show the name and description of all rules and exit.\n"
 	   " -l <rule>                     Show the name and description of the rule with name <rule> and exit.\n"
@@ -140,7 +144,7 @@ int falco_init(int argc, char **argv)
 	int long_index = 0;
 	string scap_filename;
 	string conf_filename;
-	string rules_filename;
+	list<string> rules_filenames;
 	bool daemon = false;
 	string pidfilename = "/var/run/falco.pid";
 	bool describe_all_rules = false;
@@ -192,7 +196,7 @@ int falco_init(int argc, char **argv)
 				scap_filename = optarg;
 				break;
 			case 'r':
-				rules_filename = optarg;
+				rules_filenames.push_back(optarg);
 				break;
 			case 'D':
 				pattern = optarg;
@@ -273,14 +277,16 @@ int falco_init(int argc, char **argv)
 			falco_logger::log(LOG_INFO, "Falco initialized. No configuration file found, proceeding with defaults\n");
 		}

-		if (rules_filename.size())
+		if (rules_filenames.size())
 		{
-			config.m_rules_filename = rules_filename;
+			config.m_rules_filenames = rules_filenames;
 		}

-		engine->load_rules_file(rules_filename, verbose, all_events);
-
-		falco_logger::log(LOG_INFO, "Parsed rules from file " + rules_filename + "\n");
+		for (auto filename : config.m_rules_filenames)
+		{
+			engine->load_rules_file(filename, verbose, all_events);
+			falco_logger::log(LOG_INFO, "Parsed rules from file " + filename + "\n");
+		}

 		for (auto pattern : disabled_rule_patterns)
 		{