github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-26 22:57:24 +00:00
Code Issues Projects Releases Wiki Activity

test(engine): cover transformers and field-to-field checks in exceptions

Browse Source 
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
This commit is contained in:
Jason Dellaluce 2024-04-12 18:52:43 +00:00 committed by poiana
parent f18ea1e8b7
commit c6e3cfd115
1 changed files with 167 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
unit_tests/engine/test_rule_loader.cpp
View File

@ -976,3 +976,169 @@ TEST_F(test_falco_engine, exceptions_names_not_unique)
ASSERT_TRUE(load_rules(rules_content, "rules.yaml")); ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_TRUE(check_warning_message("Multiple definitions of exception")); ASSERT_TRUE(check_warning_message("Multiple definitions of exception"));
} }
static std::string s_exception_values_rule_base = R"END(
- rule: test_rule
desc: test rule
condition: evt.type = open
output: command=%proc.cmdline
priority: INFO
)END";
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- [proc.pname]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)");
EXPECT_TRUE(check_warning_message("string 'proc.pname' may be a valid field wrongly interpreted as a string value"));
}
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_quoted)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- ["proc.pname"]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = proc.pname)");
EXPECT_TRUE(check_warning_message("string 'proc.pname' may be a valid field wrongly interpreted as a string value"));
}
TEST_F(test_falco_engine, exceptions_values_rhs_field_ambiguous_space_quoted)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- ["proc.pname "]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"proc.pname \")");
EXPECT_TRUE(check_warning_message("string 'proc.pname ' may be a valid field wrongly interpreted as a string value"));
}
TEST_F(test_falco_engine, exceptions_values_rhs_transformer)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- [toupper(proc.pname)]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))");
}
TEST_F(test_falco_engine, exceptions_values_transformer_value_quoted)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- ["toupper(proc.pname)"]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = toupper(proc.pname))");
}
TEST_F(test_falco_engine, exceptions_values_transformer_space)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- [toupper( proc.pname)]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
EXPECT_TRUE(check_warning_message("string 'toupper( proc.pname)' may be a valid field transformer wrongly interpreted as a string value"));
}
TEST_F(test_falco_engine, exceptions_values_transformer_space_quoted)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [proc.name]
comps: [=]
values:
- ["toupper( proc.pname)"]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not proc.name = \"toupper( proc.pname)\")");
EXPECT_TRUE(check_warning_message("string 'toupper( proc.pname)' may be a valid field transformer wrongly interpreted as a string value"));
}
TEST_F(test_falco_engine, exceptions_fields_transformer)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: [tolower(proc.name)]
comps: [=]
values:
- [test]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
EXPECT_FALSE(has_warnings());
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
}
TEST_F(test_falco_engine, exceptions_fields_transformer_quoted)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: ["tolower(proc.name)"]
comps: [=]
values:
- [test]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_FALSE(has_warnings());
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
}
TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted)
{
auto rules_content = s_exception_values_rule_base + R"END(
exceptions:
- name: test_exception
fields: ["tolower( proc.name)"]
comps: [=]
values:
- [test]
)END";
ASSERT_TRUE(load_rules(rules_content, "rules.yaml"));
ASSERT_FALSE(has_warnings());
EXPECT_EQ(get_compiled_rule_condition("test_rule"), "(evt.type = open and not tolower(proc.name) = test)");
}