Add additional rules/tests for pipe installers.

Add additional rules related to using pipe installers within a fbash session: - Modify write_etc to only trigger if *not* in a fbash session. There's a new rule write_etc_installer which has the same conditions when in a fbash session, logging at INFO severity. - A new rule write_rpm_database warns if any non package management program tries to write below /var/lib/rpm. - Add a new warning if any program below a fbash session tries to open an outbound network connection on ports other than http(s) and dns. - Add INFO level messages when programs in a fbash session try to run package management binaries (rpm,yum,etc) or service management (systemctl,chkconfig,etc) binaries. In order to test these new INFO level rules, make up a third class of trace files traces-info.zip containing trace files that should result in info-level messages. To differentiate warning and info level detection, add an attribute to the multiplex file "detect_level", which is "Warning" for the files in traces-positive and "Info" for the files in traces-info. Modify falco_test.py to look specifically for a non-zero count for the given detect_level. Doing this exposed a bug in the way the level-specific counts were being recorded--they were keeping counts by level name, not number. Fix that.
2025-10-22 12:27:10 +00:00 · 2016-06-01 16:01:37 -07:00
parent 31c87c295a
commit fc6d775e5b
5 changed files with 91 additions and 20 deletions
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -18,6 +18,9 @@ class FalcoTest(Test):
        self.should_detect = self.params.get('detect', '*')
        self.trace_file = self.params.get('trace_file', '*')

+        if self.should_detect:
+            self.detect_level = self.params.get('detect_level', '*')
+
        # Doing this in 2 steps instead of simply using
        # module_is_loaded to avoid logging lsmod output to the log.
        lsmod_output = process.system_output("lsmod", verbose=False)
@@ -44,17 +47,29 @@ class FalcoTest(Test):
                cmd, res.exit_status))

        # Get the number of events detected.
-        res = re.search('Events detected: (\d+)', res.stdout)
-        if res is None:
+        match = re.search('Events detected: (\d+)', res.stdout)
+        if match is None:
            self.fail("Could not find a line 'Events detected: <count>' in falco output")

-        events_detected = int(res.group(1))
+        events_detected = int(match.group(1))

        if not self.should_detect and events_detected > 0:
            self.fail("Detected {} events when should have detected none".format(events_detected))

-        if self.should_detect and events_detected == 0:
-            self.fail("Detected {} events when should have detected > 0".format(events_detected))
+        if self.should_detect:
+            if events_detected == 0:
+                self.fail("Detected {} events when should have detected > 0".format(events_detected))
+
+            level_line = '{}: (\d+)'.format(self.detect_level)
+            match = re.search(level_line, res.stdout)
+
+            if match is None:
+                self.fail("Could not find a line '{}: <count>' in falco output".format(self.detect_level))
+
+            events_detected = int(match.group(1))
+
+            if not events_detected > 0:
+                self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, self.detect_level))

        pass