github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-10-22 03:49:36 +00:00
Code Issues Projects Releases Wiki Activity

Add additional rules/tests for pipe installers.

Browse Source 
Add additional rules related to using pipe installers within a fbash
session:

 - Modify write_etc to only trigger if *not* in a fbash session. There's
   a new rule write_etc_installer which has the same conditions when in
   a fbash session, logging at INFO severity.

 - A new rule write_rpm_database warns if any non package management
   program tries to write below /var/lib/rpm.

 - Add a new warning if any program below a fbash session tries to open
   an outbound network connection on ports other than http(s) and dns.

 - Add INFO level messages when programs in a fbash session try to run
   package management binaries (rpm,yum,etc) or service
   management (systemctl,chkconfig,etc) binaries.

In order to test these new INFO level rules, make up a third class of
trace files traces-info.zip containing trace files that should result in
info-level messages.

To differentiate warning and info level detection, add an attribute to
the multiplex file "detect_level", which is "Warning" for the files in
traces-positive and "Info" for the files in traces-info. Modify
falco_test.py to look specifically for a non-zero count for the given
detect_level.

Doing this exposed a bug in the way the level-specific counts were being
recorded--they were keeping counts by level name, not number. Fix that.
This commit is contained in:
Mark Stemm
2016-06-01 16:01:37 -07:00
parent 31c87c295a
commit fc6d775e5b
5 changed files with 91 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
test/run_regression_tests.sh
View File

@@ -5,7 +5,8 @@ SCRIPTDIR=$(dirname $SCRIPT)
MULT_FILE=$SCRIPTDIR/falco_tests.yaml
function download_trace_files() {
for TRACE in traces-positive traces-negative ; do
for TRACE in traces-positive traces-negative traces-info ; do
rm -rf $SCRIPTDIR/$TRACE
curl -so $SCRIPTDIR/$TRACE.zip https://s3.amazonaws.com/download.draios.com/falco-tests/$TRACE.zip &&
unzip -d $SCRIPTDIR $SCRIPTDIR/$TRACE.zip &&
rm -rf $SCRIPTDIR/$TRACE.zip
@@ -21,6 +22,7 @@ function prepare_multiplex_file() {
cat << EOF >> $MULT_FILE
$NAME:
detect: True
detect_level: Warning
trace_file: $trace
EOF
done
@@ -35,6 +37,17 @@ EOF
EOF
done
for trace in $SCRIPTDIR/traces-info/*.scap ; do
[ -e "$trace" ] || continue
NAME=`basename $trace .scap`
cat << EOF >> $MULT_FILE
$NAME:
detect: True
detect_level: Informational
trace_file: $trace
EOF
done
echo "Contents of $MULT_FILE:"
cat $MULT_FILE
}