github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-21 19:44:57 +00:00
Code Issues Projects Releases Wiki Activity

New tests for rule + exception, macro with unknown source

Browse Source 
Add new test cases for a rule with an unknown source *and* an
exception, and a macro with an unknown source.

The first results in a rule warning (and no error), and the second
prints an error and skips.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm
2022-03-01 16:48:10 -08:00
committed by poiana
parent 3fbc90e99e
commit df219b5e1d
3 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
test/rules/plugins/cloudtrail_create_instances_exceptions.yaml Normal file
View File

@@ -0,0 +1,9 @@
- rule: Cloudtrail Create Instance
desc: Detect Creating an EC2 Instance
condition: evt.num > 0 and ct.name="StartInstances"
output: EC2 Instance Created (evtnum=%evt.num info=%evt.plugininfo id=%ct.id user name=%json.value[/userIdentity/userName])
exceptions:
- name: user_secreid
fields: [aws.user, aws.region]
priority: INFO
source: aws_cloudtrail

4
test/rules/plugins/cloudtrail_macro.yaml Normal file
View File

@@ -0,0 +1,4 @@
- macro: Some Cloudtrail Macro
condition: aws.user=bob
source: aws_cloudtrail