Add test for truncated outputs.

Add a test that specifically tests truncated outputs. A rule contains an output field %fd.cport which has no value for an open event. Ensure that the rule's output has <NA> for the cport and the remainder of the rule's output is filled in.
2025-06-29 16:17:32 +00:00 · 2017-01-03 11:12:56 -08:00 · 2017-01-03 11:12:56 -08:00 · f4bb49f1f5
commit f4bb49f1f5
parent 362a6b7b9a
3 changed files with 19 additions and 0 deletions
--- a/test/falco_test.py
+++ b/test/falco_test.py
@ -17,6 +17,7 @@ class FalcoTest(Test):
        """
        self.falcodir = self.params.get('falcodir', '/', default=os.path.join(self.basedir, '../build'))

+        self.stdout_contains = self.params.get('stdout_contains', '*', default='')
        self.stderr_contains = self.params.get('stderr_contains', '*', default='')
        self.exit_status = self.params.get('exit_status', '*', default=0)
        self.should_detect = self.params.get('detect', '*', default=False)
@ -204,6 +205,11 @@ class FalcoTest(Test):
            if match is None:
                self.fail("Stderr of falco process did not contain content matching {}".format(self.stderr_contains))

+        if self.stdout_contains != '':
+            match = re.search(self.stdout_contains, res.stdout)
+            if match is None:
+                self.fail("Stdout of falco process '{}' did not contain content matching {}".format(res.stdout, self.stdout_contains))
+
        if res.exit_status != self.exit_status:
            self.error("Falco command \"{}\" exited with unexpected return value {} (!= {})".format(
                cmd, res.exit_status, self.exit_status))
--- a/test/falco_tests.yaml.in
+++ b/test/falco_tests.yaml.in
@ -154,6 +154,14 @@ trace_files: !mux
      - rules/single_rule_enabled_flag.yaml
    trace_file: trace_files/cat_write.scap

+  null_output_field:
+    detect: True
+    detect_level: WARNING
+    rules_file:
+      - rules/null_output_field.yaml
+    trace_file: trace_files/cat_write.scap
+    stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."
+
  file_output:
    detect: True
    detect_level: WARNING
--- a/test/rules/null_output_field.yaml
+++ b/test/rules/null_output_field.yaml
@ -0,0 +1,5 @@
+- rule: open_from_cat
+  desc: A process named cat does an open
+  condition: evt.type=open and proc.name=cat
+  output: "An open was seen (cport=%fd.cport command=%proc.cmdline)"
+  priority: WARNING