Rules changes (WIP)

Got as far as the two big rules (write below etc/write below root). Still need to do the rest, and also k8s_audit.
Squash w/ code commit: single field exceptions
2026-04-02 18:12:15 +00:00 · 2020-10-13 17:36:36 -07:00 · 2020-10-13 11:20:32 -07:00 · 2020-10-13 11:20:12 -07:00 · 2020-10-12 15:46:54 -07:00 · 2020-10-12 15:43:23 -07:00
47 changed files with 2206 additions and 501 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -306,6 +306,33 @@ jobs:
      - run:
          name: Execute driver-loader integration tests
          command: /tmp/ws/source/falco/test/driver-loader/run_test.sh /tmp/ws/build/release/
  # Code quality
  "quality/static-analysis":
    docker:
      - image: falcosecurity/falco-builder:latest
        environment:
          BUILD_TYPE: "release"
    steps:
      - run:
          name: Install cppcheck
          command: |
            yum update -y
            yum install epel-release -y
            yum install cppcheck cppcheck-htmlreport -y
      - checkout:
          path: /source/falco
      - run:
          name: Prepare project
          command: /usr/bin/entrypoint cmake
      - run:
          name: cppcheck
          command: /usr/bin/entrypoint cppcheck
      - run:
          name: cppcheck html report
          command: /usr/bin/entrypoint cppcheck_htmlreport
      - store_artifacts:
          path: /build/release/static-analysis-reports
          destination: /static-analysis-reports
  # Sign rpm packages
  "rpm/sign":
    docker:
@@ -546,6 +573,7 @@ workflows:
          requires:
            - "publish/packages-dev"
            - "tests/driver-loader/integration"
      - "quality/static-analysis"
  release:
    jobs:
      - "build/musl":
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,51 @@
 # Change Log
-This file documents all notable changes to Falco. The release numbering uses [semantic versioning](http://semver.org).
+## v0.26.1
 Released on 2020-10-01
 ### Major Changes
 * new: CLI flag `--alternate-lua-dir` to load Lua files from arbitrary paths [[#1419](https://github.com/falcosecurity/falco/pull/1419)] - [@admiral0](https://github.com/admiral0)
 ### Rule Changes
 * rule(Delete or rename shell history): fix warnings/FPs + container teardown [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
 * rule(Write below root): ensure proc_name_exists too [[#1423](https://github.com/falcosecurity/falco/pull/1423)] - [@mstemm](https://github.com/mstemm)
 ## v0.26.0
 Released on 2020-24-09
 ### Major Changes
 * new: address several sources of FPs, primarily from GKE environments. [[#1372](https://github.com/falcosecurity/falco/pull/1372)] - [@mstemm](https://github.com/mstemm)
 * new: driver updated to 2aa88dcf6243982697811df4c1b484bcbe9488a2 [[#1410](https://github.com/falcosecurity/falco/pull/1410)] - [@leogr](https://github.com/leogr)
 * new(scripts/falco-driver-loader): detect and try to build the Falco kernel module driver using different GCC versions available in the current environment. [[#1408](https://github.com/falcosecurity/falco/pull/1408)] - [@fntlnz](https://github.com/fntlnz)
 * new: tgz (tarball) containing the statically-linked (musl) binary of Falco is now automatically built and published on bintray [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
 ### Minor Changes
 * update: bump Falco engine version to 7 [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
 * update: the required_engine_version is now on by default [[#1381](https://github.com/falcosecurity/falco/pull/1381)] - [@leogr](https://github.com/leogr)
 * update: falcosecurity/falco-no-driver image now uses the statically-linked Falco [[#1377](https://github.com/falcosecurity/falco/pull/1377)] - [@leogr](https://github.com/leogr)
 * docs(proposals): artifacts storage [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
 * docs(proposals): artifacts cleanup [[#1375](https://github.com/falcosecurity/falco/pull/1375)] - [@leodido](https://github.com/leodido)
 ### Rule Changes
 * rule(macro inbound_outbound): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
 * rule(macro redis_writing_conf): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
 * rule(macro run_by_foreman): add brackets to disambiguate operator precedence [[#1373](https://github.com/falcosecurity/falco/pull/1373)] - [@ldegio](https://github.com/ldegio)
 * rule(macro consider_packet_socket_communication): enable "Packet socket created in container" rule by default. [[#1402](https://github.com/falcosecurity/falco/pull/1402)] - [@rung](https://github.com/rung)
 * rule(Delete or rename shell history): skip docker overlay filesystems when considering bash history [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
 * rule(Disallowed K8s User): quote colons in user names [[#1393](https://github.com/falcosecurity/falco/pull/1393)] - [@mstemm](https://github.com/mstemm)
 * rule(macro falco_sensitive_mount_containers): Adds a trailing slash to avoid repo naming issues [[#1394](https://github.com/falcosecurity/falco/pull/1394)] - [@bgeesaman](https://github.com/bgeesaman)
 * rule: adds user.loginuid to the default Falco rules that also contain user.name [[#1369](https://github.com/falcosecurity/falco/pull/1369)] - [@csschwe](https://github.com/csschwe)
 ## v0.25.0
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -57,7 +57,7 @@ if(MINIMAL_BUILD)
 endif()
 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os -D__NEED_struct_timespec -D__NEED_time_t")
+  set(MUSL_FLAGS "-static -Os")
 endif()
 set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
@@ -254,6 +254,9 @@ add_subdirectory(docker)
 # Clang format
 # add_custom_target(format COMMAND clang-format --style=file -i $<TARGET_PROPERTY:falco,SOURCES> COMMENT "Formatting ..." VERBATIM)
 # Static analysis
 include(static-analysis)
 # Shared build variables
 set(FALCO_SINSP_LIBRARY sinsp)
 set(FALCO_SHARE_DIR share/falco)
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -4,14 +4,16 @@ Our release process is mostly automated, but we still need some manual steps to
 Changes and new features are grouped in [milestones](https://github.com/falcosecurity/falco/milestones), the milestone with the next version represents what is going to be released.
-Releases happen on a monthly cadence, towards the 16th of the on-going month, and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
+A release happens every two months ([as per community discussion](https://github.com/falcosecurity/community/blob/master/meeting-notes/2020-09-30.md#agenda)), and we need to assign owners for each (usually we pair a new person with an experienced one). Assignees and the due date are proposed during the [weekly community call](https://github.com/falcosecurity/community). Note that hotfix releases can happen as soon as it is needed.
 Finally, on the proposed due date the assignees for the upcoming release proceed with the processes described below.
 ## Pre-Release Checklist
 Before cutting a release we need to do some homework in the Falco repository. This should take 5 minutes using the GitHub UI.
 ### 1. Release notes
- Let `YYYY-MM-DD` the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
+- Find the LAST release (-1) and use `YYYY-MM-DD` as the day before of the [latest release](https://github.com/falcosecurity/falco/releases)
 - Check the release note block of every PR matching the `is:pr is:merged closed:>YYYY-MM-DD` [filter](https://github.com/falcosecurity/falco/pulls?q=is%3Apr+is%3Amerged+closed%3A%3EYYYY-MM-DD)
    - Ensure the release note block follows the [commit convention](https://github.com/falcosecurity/falco/blob/master/CONTRIBUTING.md#commit-convention), otherwise fix its content
    - If the PR has no milestone, assign it to the milestone currently undergoing release
@@ -28,14 +30,15 @@ Finally, on the proposed due date the assignees for the upcoming release proceed
    - If any, manually correct it then open an issue to automate version number bumping later
    - Versions table in the `README.md` update itself automatically
 - Generate the change log https://github.com/leodido/rn2md, or https://fs.fntlnz.wtf/falco/milestones-changelog.txt for the lazy people (it updates every 5 minutes)
- Add the lastest changes on top the previous `CHANGELOG.md`
+    - If you review timeout errors with `rn2md` try to generate an GitHub Oauth access token and use `-t`
 - Add the latest changes on top the previous `CHANGELOG.md`
 - Submit a PR with the above modifications
 - Await PR approval
- Close the completed milestone as soon PR is merged
+- Close the completed milestone as soon as the PR is merged
 ## Release
-Let `x.y.z` the new version.
+Now assume `x.y.z` is the new version.
 ### 1. Create a tag
@@ -58,15 +61,29 @@ Let `x.y.z` the new version.
 - Use `x.y.z` both as tag version and release title
 - Use the following template to fill the release description:
    ```
    <!-- Substitute x.y.z with the current release version -->
    | Packages | Download                                                                                                                                               |
    | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | rpm      | [![rpm](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/rpm/falco-x.y.z-x86_64.rpm)        |
    | deb      | [![deb](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/deb/stable/falco-x.y.z-x86_64.deb) |
    | tgz      | [![tgz](https://img.shields.io/badge/Falco-x.y.z-%2300aec7?style=flat-square)](https://dl.bintray.com/falcosecurity/bin/x86_64/falco-x.y.z-x86_64.deb) |
    | Images                                                          |
    | --------------------------------------------------------------- |
    | `docker pull docker.io/falcosecurity/falco:_tag_`               |
    | `docker pull docker.io/falcosecurity/falco-driver-loader:_tag_` |
    | `docker pull docker.io/falcosecurity/falco-no-driver:_tag_`     |
    <!-- Copy the relevant part of the changelog here -->
    ### Statistics
-    | Merged PRs        | Number  |
+    | Merged PRs      | Number |
-    |-------------------|---------|
+    | --------------- | ------ |
-    | Not user-facing   | x       |
+    | Not user-facing | x      |
-    | Release note      | x       |
+    | Release note    | x      |
-    | Total             | x       |
+    | Total           | x      |
    <!-- Calculate stats and fill the above table -->
    ```
--- a/brand/README.md
+++ b/brand/README.md
@@ -15,6 +15,21 @@ There are 3 logos available for use in this directory. Use the primary logo unle
 The Falco logo is Apache 2 licensed and free to use in media and publication for the CNCF Falco project.
 ### Colors
 | Name      | PMS  | RGB         |
 |-----------|------|-------------|
 | Teal      | 3125 |   0 174 199 |
 | Cool Gray |   11 |  83  86  90 |
 | Black     |      |   0   0   0 |
 | Blue-Gray | 7700 |  22 92 125  |
 | Gold      | 1375 | 255 158  27 |
 | Orange    |  171 | 255  92  57 |
 | Emerald   | 3278 |   0 155 119 |
 | Green     |  360 | 108 194  74 |
 The primary colors are those in the first two rows.
 ### Slogan
 > Cloud Native Runtime Security
--- a/cmake/modules/static-analysis.cmake
+++ b/cmake/modules/static-analysis.cmake
@@ -0,0 +1,42 @@
 # create the reports folder
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports)
 file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck)
 # cppcheck
 find_program(CPPCHECK cppcheck)
 find_program(CPPCHECK_HTMLREPORT cppcheck-htmlreport)
 if(NOT CPPCHECK)
  message(STATUS "cppcheck command not found, static code analysis using cppcheck will not be available.")
 else()
  message(STATUS "cppcheck found at: ${CPPCHECK}")
  # we are aware that cppcheck can be run
  # along with the software compilation in a single step
  # using the CMAKE_CXX_CPPCHECK variables.
  # However, for practical needs we want to keep the
  # two things separated and have a specific target for it.
  # Our cppcheck target reads the compilation database produced by CMake
  set(CMAKE_EXPORT_COMPILE_COMMANDS On)
  add_custom_target(
      cppcheck
      COMMAND ${CPPCHECK}
      "--enable=all"
      "--force"
      "--inconclusive"
      "--inline-suppr" # allows to specify suppressions directly in source code
      "--project=${CMAKE_CURRENT_BINARY_DIR}/compile_commands.json" # use the compilation database as source
      "--quiet"
      "--xml" # we want to generate a report
      "--output-file=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck/cppcheck.xml" # generate the report under the reports folder in the build folder
      "-i${CMAKE_CURRENT_BINARY_DIR}"# exclude the build folder
  )
 endif() # CPPCHECK
 if(NOT CPPCHECK_HTMLREPORT)
  message(STATUS "cppcheck-htmlreport command not found, will not be able to produce html reports for cppcheck results")
 else()
  message(STATUS "cppcheck-htmlreport found at: ${CPPCHECK_HTMLREPORT}")
  add_custom_target(
    cppcheck_htmlreport
    COMMAND ${CPPCHECK_HTMLREPORT} --title=${CMAKE_PROJECT_NAME} --report-dir=${CMAKE_CURRENT_BINARY_DIR}/static-analysis-reports/cppcheck --file=static-analysis-reports/cppcheck/cppcheck.xml)
 endif() # CPPCHECK_HTMLREPORT
--- a/cmake/modules/sysdig.cmake
+++ b/cmake/modules/sysdig.cmake
@@ -29,8 +29,8 @@ file(MAKE_DIRECTORY ${SYSDIG_CMAKE_WORKING_DIR})
 # default below In case you want to test against another sysdig version just pass the variable - ie., `cmake
 # -DSYSDIG_VERSION=dev ..`
 if(NOT SYSDIG_VERSION)
-  set(SYSDIG_VERSION "73554b9c48b06612eb50494ee6fa5b779c57edc0") # todo(leogr): set the correct version and checksum before merging
+  set(SYSDIG_VERSION "2aa88dcf6243982697811df4c1b484bcbe9488a2")
-  set(SYSDIG_CHECKSUM "SHA256=c1c73498a834533dea61c979786a4ac3866743c17829d81aef209ddaa1b31538")
+  set(SYSDIG_CHECKSUM "SHA256=a737077543a6f3473ab306b424bcf7385d788149829ed1538252661b0f20d0f6")
 endif()
 set(PROBE_VERSION "${SYSDIG_VERSION}")
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
--- a/rules/k8s_audit_rules.yaml
+++ b/rules/k8s_audit_rules.yaml
@@ -49,7 +49,7 @@
    "kubernetes-admin",
    vertical_pod_autoscaler_users,
    cluster-autoscaler,
-    system:addon-manager
+    "system:addon-manager"
    ]
 - rule: Disallowed K8s User
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -585,7 +585,8 @@ class FalcoTest(Test):
        self.check_rules_warnings(res)
        if len(self.rules_events) > 0:
            self.check_rules_events(res)
-        self.check_detections(res)
+        if len(self.validate_rules_file) == 0:
            self.check_detections(res)
        if len(self.detect_counts) > 0:
            self.check_detections_by_rule(res)
        self.check_json_output(res)
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -262,6 +262,7 @@ trace_files: !mux
  invalid_not_yaml:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rules content is not yaml
      ---
      This is not yaml
@@ -273,6 +274,7 @@ trace_files: !mux
  invalid_not_array:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rules content is not yaml array of objects
      ---
      foo: bar
@@ -284,6 +286,7 @@ trace_files: !mux
  invalid_array_item_not_object:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Unexpected element of type string. Each element should be a yaml associative array.
      ---
      - foo
@@ -295,6 +298,7 @@ trace_files: !mux
  invalid_unexpected object:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Unknown rule object: {foo="bar"}
      ---
      - foo: bar
@@ -306,6 +310,7 @@ trace_files: !mux
  invalid_engine_version_not_number:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Value of required_engine_version must be a number
      ---
      - required_engine_version: not-a-number
@@ -317,6 +322,7 @@ trace_files: !mux
  invalid_yaml_parse_error:
    exit_status: 1
    stdout_is: |+
      1 errors:
      mapping values are not allowed in this context
      ---
      this : is : not : yaml
@@ -328,6 +334,7 @@ trace_files: !mux
  invalid_list_without_items:
    exit_status: 1
    stdout_is: |+
      1 errors:
      List must have property items
      ---
      - list: bad_list
@@ -340,6 +347,7 @@ trace_files: !mux
  invalid_macro_without_condition:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Macro must have property condition
      ---
      - macro: bad_macro
@@ -352,6 +360,7 @@ trace_files: !mux
  invalid_rule_without_output:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule must have property output
      ---
      - rule: no output rule
@@ -366,6 +375,7 @@ trace_files: !mux
  invalid_append_rule_without_condition:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule must have property condition
      ---
      - rule: no condition rule
@@ -378,6 +388,7 @@ trace_files: !mux
  invalid_append_macro_dangling:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Macro dangling append has 'append' key but no macro by that name already exists
      ---
      - macro: dangling append
@@ -391,6 +402,7 @@ trace_files: !mux
  invalid_list_append_dangling:
    exit_status: 1
    stdout_is: |+
      1 errors:
      List my_list has 'append' key but no list by that name already exists
      ---
      - list: my_list
@@ -404,6 +416,7 @@ trace_files: !mux
  invalid_rule_append_dangling:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule my_rule has 'append' key but no rule by that name already exists
      ---
      - rule: my_rule
@@ -450,6 +463,7 @@ trace_files: !mux
  invalid_overwrite_macro_multiple_docs:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Compilation error when compiling "foo": Undefined macro 'foo' used in filter.
      ---
      - macro: some macro
@@ -463,6 +477,7 @@ trace_files: !mux
  invalid_append_macro_multiple_docs:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Compilation error when compiling "evt.type=execve foo": 17: syntax error, unexpected 'foo', expecting 'or', 'and'
      ---
      - macro: some macro
@@ -521,6 +536,7 @@ trace_files: !mux
  invalid_overwrite_rule_multiple_docs:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Undefined macro 'bar' used in filter.
      ---
      - rule: some rule
@@ -559,6 +575,7 @@ trace_files: !mux
  invalid_missing_rule_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule name is empty
      ---
      - rule:
@@ -573,6 +590,7 @@ trace_files: !mux
  invalid_missing_list_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      List name is empty
      ---
      - list:
@@ -585,6 +603,7 @@ trace_files: !mux
  invalid_missing_macro_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Macro name is empty
      ---
      - macro:
--- a/test/falco_tests_exceptions.yaml
+++ b/test/falco_tests_exceptions.yaml
@@ -0,0 +1,323 @@
 #
 # Copyright (C) 2016-2020 The Falco Authors..
 #
 # This file is part of falco.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 trace_files: !mux
  rule_exception_no_fields:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: must have fields property with a list of fields
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_no_fields.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_no_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item must have name property
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - fields: [proc.name, fd.filename]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_no_name.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_no_name:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item must have name property
      ---
      - rule: My Rule
        exceptions:
          - values:
              - [nginx, /tmp/foo]
        append: true
      ---
    validate_rules_file:
      - rules/exceptions/append_item_no_name.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_unknown_fields:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: field name not.exist is not a supported filter field
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [not.exist]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_unknown_fields.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_comps_fields_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: fields and comps lists must have equal length
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
            comps: [=]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_comps_fields_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_unknown_comp:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Rule exception item ex1: comparison operator no-comp is not a supported comparison operator
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
            comps: [=, no-comp]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_unknown_comp.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_fields_values_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Exception item ex1: fields and values lists must have equal length
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
            values:
              - [nginx]
        priority: error
      ---
    validate_rules_file:
      - rules/exceptions/item_fields_values_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_fields_values_len_mismatch:
    exit_status: 1
    stdout_is: |+
      1 errors:
      Exception item ex1: fields and values lists must have equal length
      ---
      - rule: My Rule
        desc: Some desc
        condition: evt.type=open and proc.name=cat
        output: Some output
        exceptions:
          - name: ex1
            fields: [proc.name, fd.filename]
        priority: error
      - rule: My Rule
        exceptions:
          - name: ex1
            values:
              - [nginx]
        append: true
      ---
    validate_rules_file:
      - rules/exceptions/append_item_fields_values_len_mismatch.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_item_not_in_rule:
    exit_status: 0
    stderr_contains: |+
      1 warnings:
      Rule My Rule with append=true: no set of fields matching name ex2
    validate_rules_file:
      - rules/exceptions/append_item_not_in_rule.yaml
    trace_file: trace_files/cat_write.scap
  rule_without_exception:
    exit_status: 0
    stderr_contains: |+
      1 warnings:
      Rule My Rule: consider adding an exceptions property to define supported exceptions fields
    validate_rules_file:
      - rules/exceptions/rule_without_exception.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_no_values:
    detect: True
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_no_values.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_one_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_one_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_one_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_one_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_second_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_second_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_second_value:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_second_value.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_second_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_second_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_second_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_second_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_third_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_third_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_third_item:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_third_item.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_quoted:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_quoted.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_multiple_values:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_multiple.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_comp:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_comp.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_append_comp:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_append_comp.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_values_listref:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_values_listref.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_values_listref_noparens:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_values_listref_noparens.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_values_list:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_values_list.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_single_field:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_single_field.yaml
    trace_file: trace_files/cat_write.scap
  rule_exception_single_field_append:
    detect: False
    detect_level: WARNING
    rules_file:
      - rules/exceptions/rule_exception_single_field_append.yaml
    trace_file: trace_files/cat_write.scap
--- a/test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/append_item_fields_values_len_mismatch.yaml
@@ -0,0 +1,31 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
  priority: error
 - rule: My Rule
  exceptions:
    - name: ex1
      values:
        - [nginx]
  append: true
--- a/test/rules/exceptions/append_item_no_name.yaml
+++ b/test/rules/exceptions/append_item_no_name.yaml
@@ -0,0 +1,30 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
  priority: error
 - rule: My Rule
  exceptions:
    - values:
        - [nginx, /tmp/foo]
  append: true
--- a/test/rules/exceptions/append_item_not_in_rule.yaml
+++ b/test/rules/exceptions/append_item_not_in_rule.yaml
@@ -0,0 +1,31 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
  priority: error
 - rule: My Rule
  exceptions:
    - name: ex2
      values:
        - [apache, /tmp]
  append: true
--- a/test/rules/exceptions/item_comps_fields_len_mismatch.yaml
+++ b/test/rules/exceptions/item_comps_fields_len_mismatch.yaml
@@ -0,0 +1,25 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
      comps: [=]
  priority: error
--- a/test/rules/exceptions/item_fields_values_len_mismatch.yaml
+++ b/test/rules/exceptions/item_fields_values_len_mismatch.yaml
@@ -0,0 +1,26 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
      values:
        - [nginx]
  priority: error
--- a/test/rules/exceptions/item_no_fields.yaml
+++ b/test/rules/exceptions/item_no_fields.yaml
@@ -0,0 +1,23 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
  priority: error
--- a/test/rules/exceptions/item_no_name.yaml
+++ b/test/rules/exceptions/item_no_name.yaml
@@ -0,0 +1,23 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - fields: [proc.name, fd.filename]
  priority: error
--- a/test/rules/exceptions/item_unknown_comp.yaml
+++ b/test/rules/exceptions/item_unknown_comp.yaml
@@ -0,0 +1,25 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [proc.name, fd.filename]
      comps: [=, no-comp]
  priority: error
--- a/test/rules/exceptions/item_unknown_fields.yaml
+++ b/test/rules/exceptions/item_unknown_fields.yaml
@@ -0,0 +1,24 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  exceptions:
    - name: ex1
      fields: [not.exist]
  priority: error
--- a/test/rules/exceptions/rule_exception_append_comp.yaml
+++ b/test/rules/exceptions/rule_exception_append_comp.yaml
@@ -0,0 +1,38 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_contains
      fields: [proc.name]
      comps: [contains]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name_contains
      values:
        - [cat]
  append: true
--- a/test/rules/exceptions/rule_exception_append_multiple.yaml
+++ b/test/rules/exceptions/rule_exception_append_multiple.yaml
@@ -0,0 +1,42 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [not-cat]
  append: true
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [cat]
  append: true
--- a/test/rules/exceptions/rule_exception_append_one_value.yaml
+++ b/test/rules/exceptions/rule_exception_append_one_value.yaml
@@ -0,0 +1,37 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [cat]
  append: true
--- a/test/rules/exceptions/rule_exception_append_second_item.yaml
+++ b/test/rules/exceptions/rule_exception_append_second_item.yaml
@@ -0,0 +1,41 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [not-cat]
    - name: proc_name_cmdline
      values:
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      values:
        - [not-cat, "cat /dev/null", bash]
  append: true
--- a/test/rules/exceptions/rule_exception_append_second_value.yaml
+++ b/test/rules/exceptions/rule_exception_append_second_value.yaml
@@ -0,0 +1,36 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name_cmdline
      values:
        - [not-cat, not-cat]
        - [cat, "cat /dev/null"]
  append: true
--- a/test/rules/exceptions/rule_exception_append_third_item.yaml
+++ b/test/rules/exceptions/rule_exception_append_third_item.yaml
@@ -0,0 +1,41 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name
      values:
        - [not-cat]
    - name: proc_name_cmdline
      values:
        - [not-cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      values:
        - [cat, "cat /dev/null", bash]
  append: true
--- a/test/rules/exceptions/rule_exception_comp.yaml
+++ b/test/rules/exceptions/rule_exception_comp.yaml
@@ -0,0 +1,34 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_contains
      fields: [proc.name]
      comps: [contains]
      values:
        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_no_values.yaml
+++ b/test/rules/exceptions/rule_exception_no_values.yaml
@@ -0,0 +1,28 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_one_value.yaml
+++ b/test/rules/exceptions/rule_exception_one_value.yaml
@@ -0,0 +1,30 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_quoted.yaml
+++ b/test/rules/exceptions/rule_exception_quoted.yaml
@@ -0,0 +1,36 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_name_cmdline
      values:
        - [not-cat, not-cat]
        - [cat, '"cat /dev/null"']
  append: true
--- a/test/rules/exceptions/rule_exception_second_item.yaml
+++ b/test/rules/exceptions/rule_exception_second_item.yaml
@@ -0,0 +1,34 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [not-cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      values:
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
      values:
        - [not-cat, "cat /dev/null", bash]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_second_value.yaml
+++ b/test/rules/exceptions/rule_exception_second_value.yaml
@@ -0,0 +1,32 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      values:
        - [not-cat, not-cat]
        - [cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_single_field.yaml
+++ b/test/rules/exceptions/rule_exception_single_field.yaml
@@ -0,0 +1,30 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_cmdline
      fields: proc.cmdline
      comps: in
      values:
        - cat /dev/zero
        - "cat /dev/null"
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_single_field_append.yaml
+++ b/test/rules/exceptions/rule_exception_single_field_append.yaml
@@ -0,0 +1,37 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_cmdline
      fields: proc.cmdline
      comps: in
      values:
        - cat /dev/zero
  priority: WARNING
 - rule: Open From Cat
  exceptions:
    - name: proc_cmdline
      values:
        - "cat /dev/null"
  append: true
--- a/test/rules/exceptions/rule_exception_third_item.yaml
+++ b/test/rules/exceptions/rule_exception_third_item.yaml
@@ -0,0 +1,34 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name
      fields: [proc.name]
      values:
        - [not-cat]
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      values:
        - [not-cat, "cat /dev/null"]
    - name: proc_name_cmdline_pname
      fields: [proc.name, proc.cmdline, proc.pname]
      values:
        - [cat, "cat /dev/null", bash]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_values_list.yaml
+++ b/test/rules/exceptions/rule_exception_values_list.yaml
@@ -0,0 +1,29 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      comps: [=, in]
      values:
        - [cat, [cat /dev/zero, "cat /dev/null"]]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_values_listref.yaml
+++ b/test/rules/exceptions/rule_exception_values_listref.yaml
@@ -0,0 +1,32 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - list: cat_cmdlines
  items: [cat /dev/zero, "cat /dev/null"]
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      comps: [=, in]
      values:
        - [cat, (cat_cmdlines)]
  priority: WARNING
--- a/test/rules/exceptions/rule_exception_values_listref_noparens.yaml
+++ b/test/rules/exceptions/rule_exception_values_listref_noparens.yaml
@@ -0,0 +1,32 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - list: cat_cmdlines
  items: [cat /dev/zero, "cat /dev/null"]
 - rule: Open From Cat
  desc: A process named cat does an open
  condition: evt.type=open and proc.name=cat
  output: "An open was seen (command=%proc.cmdline)"
  exceptions:
    - name: proc_name_cmdline
      fields: [proc.name, proc.cmdline]
      comps: [=, in]
      values:
        - [cat, cat_cmdlines]
  priority: WARNING
--- a/test/rules/exceptions/rule_without_exception.yaml
+++ b/test/rules/exceptions/rule_without_exception.yaml
@@ -0,0 +1,21 @@
 #
 # Copyright (C) 2020 The Falco Authors.
 #
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 - rule: My Rule
  desc: Some desc
  condition: evt.type=open and proc.name=cat
  output: Some output
  priority: error
--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -98,7 +98,7 @@ function run_tests() {
    # as we're watching the return status when running avocado.
    set +e
    TEST_RC=0
-    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml)
+    suites=($SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml $SCRIPTDIR/falco_tests_exceptions.yaml)
    if [ "$SKIP_PACKAGES_TESTS" = false ] ; then
        suites+=($SCRIPTDIR/falco_tests_package.yaml)
--- a/userspace/engine/falco_engine_version.h
+++ b/userspace/engine/falco_engine_version.h
@@ -16,7 +16,7 @@ limitations under the License.
 // The version of rules/filter fields/etc supported by this falco
 // engine.
-#define FALCO_ENGINE_VERSION (7)
+#define FALCO_ENGINE_VERSION (8)
 // This is the result of running "falco --list -N | sha256sum" and
 // represents the fields supported by this version of falco. It's used
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -126,6 +126,31 @@ function set_output(output_format, state)
   end
 end
 -- This should be keep in sync with parser.lua
 defined_comp_operators = {
   ["="]=1,
   ["=="] = 1,
   ["!"] = 1,
   ["<="] = 1,
   [">="] = 1,
   ["<"] = 1,
   [">"] = 1,
   ["contains"] = 1,
   ["icontains"] = 1,
   ["glob"] = 1,
   ["startswith"] = 1,
   ["endswith"] = 1,
   ["in"] = 1,
   ["intersects"] = 1,
   ["pmatch"] = 1
 }
 defined_list_comp_operators = {
   ["in"] = 1,
   ["intersects"] = 1,
   ["pmatch"] = 1
 }
 -- Note that the rules_by_name and rules_by_idx refer to the same rule
 -- object. The by_name index is used for things like describing rules,
 -- and the by_idx index is used to map the relational node index back
@@ -253,19 +278,89 @@ function get_lines(rules_lines, row, num_lines)
   return ret
 end
 function quote_item(item)
   if string.sub(item, 1, 1) ~= "'" and string.sub(item, 1, 1) ~= '"' then
      item = "\""..item.."\""
   end
   return item
 end
 function paren_item(item)
   if string.sub(item, 1, 1) ~= "(" then
      item = "("..item..")"
   end
   return item
 end
 function build_error(rules_lines, row, num_lines, err)
   local ret = err.."\n---\n"..get_lines(rules_lines, row, num_lines).."---"
-   return ret
+   return {ret}
 end
 function build_error_with_context(ctx, err)
   local ret = err.."\n---\n"..ctx.."---"
-   return ret
+   return {ret}
 end
 function validate_exception_item_multi_fields(eitem, context)
   local name = eitem['name']
   local fields = eitem['fields']
   local values = eitem['values']
   local comps = eitem['comps']
   if comps == nil then
      comps = {}
      for c=1,#fields do
 	 table.insert(comps, "=")
      end
      eitem['comps'] = comps
   else
      if #fields ~= #comps then
 	 return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps lists must have equal length"), warnings
      end
   end
   for k, fname in ipairs(fields) do
      if defined_noarg_filters[fname] == nil then
 	 return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fname.." is not a supported filter field"), warnings
      end
   end
   for k, comp in ipairs(comps) do
      if defined_comp_operators[comp] == nil then
 	 return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comp.." is not a supported comparison operator"), warnings
      end
   end
 end
 function validate_exception_item_single_field(eitem, context)
   local name = eitem['name']
   local fields = eitem['fields']
   local values = eitem['values']
   local comps = eitem['comps']
   if comps == nil then
      eitem['comps'] = "in"
   else
      if type(fields) ~= "string" or type(comps) ~= "string" then
 	 return false, build_error_with_context(context, "Rule exception item "..name..": fields and comps must both be strings"), warnings
      end
   end
   if defined_noarg_filters[fields] == nil then
      return false, build_error_with_context(context, "Rule exception item "..name..": field name "..fields.." is not a supported filter field"), warnings
   end
   if defined_comp_operators[comps] == nil then
      return false, build_error_with_context(context, "Rule exception item "..name..": comparison operator "..comps.." is not a supported comparison operator"), warnings
   end
 end
 function load_rules_doc(rules_mgr, doc, load_state)
   local warnings = {}
   -- Iterate over yaml list. In this pass, all we're doing is
   -- populating the set of rules, macros, and lists. We're not
   -- expanding/compiling anything yet. All that will happen in a
@@ -279,7 +374,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 					load_state.indices[load_state.cur_item_idx])
      if (not (type(v) == "table")) then
-	 return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array.")
+	 return false, build_error_with_context(context, "Unexpected element of type " ..type(v)..". Each element should be a yaml associative array."), warnings
      end
      v['context'] = context
@@ -291,13 +386,13 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 end
 	 if falco_rules.engine_version(rules_mgr) < v['required_engine_version'] then
-	    return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr))
+	    return false, build_error_with_context(v['context'], "Rules require engine version "..v['required_engine_version']..", but engine version is "..falco_rules.engine_version(rules_mgr)), warnings
 	 end
      elseif (v['macro']) then
 	 if (v['macro'] == nil or type(v['macro']) == "table") then
-	    return false, build_error_with_context(v['context'], "Macro name is empty")
+	    return false, build_error_with_context(v['context'], "Macro name is empty"), warnings
 	 end
 	 if v['source'] == nil then
@@ -310,7 +405,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 for j, field in ipairs({'condition'}) do
 	    if (v[field] == nil) then
-	       return false, build_error_with_context(v['context'], "Macro must have property "..field)
+	       return false, build_error_with_context(v['context'], "Macro must have property "..field), warnings
 	    end
 	 end
@@ -323,7 +418,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 if append then
 	    if state.macros_by_name[v['macro']] == nil then
-	       return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists")
+	       return false, build_error_with_context(v['context'], "Macro " ..v['macro'].. " has 'append' key but no macro by that name already exists"), warnings
 	    end
 	    state.macros_by_name[v['macro']]['condition'] = state.macros_by_name[v['macro']]['condition'] .. " " .. v['condition']
@@ -338,7 +433,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
      elseif (v['list']) then
 	 if (v['list'] == nil or type(v['list']) == "table") then
-	    return false, build_error_with_context(v['context'], "List name is empty")
+	    return false, build_error_with_context(v['context'], "List name is empty"), warnings
 	 end
 	 if state.lists_by_name[v['list']] == nil then
@@ -347,7 +442,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 for j, field in ipairs({'items'}) do
 	    if (v[field] == nil) then
-	       return false, build_error_with_context(v['context'], "List must have property "..field)
+	       return false, build_error_with_context(v['context'], "List must have property "..field), warnings
 	    end
 	 end
@@ -360,7 +455,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	 if append then
 	    if state.lists_by_name[v['list']] == nil then
-	       return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists")
+	       return false, build_error_with_context(v['context'], "List " ..v['list'].. " has 'append' key but no list by that name already exists"), warnings
 	    end
 	    for j, elem in ipairs(v['items']) do
@@ -373,7 +468,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
      elseif (v['rule']) then
 	 if (v['rule'] == nil or type(v['rule']) == "table") then
-	    return false, build_error_with_context(v['context'], "Rule name is empty")
+	    return false, build_error_with_context(v['context'], "Rule name is empty"), warnings
 	 end
 	 -- By default, if a rule's condition refers to an unknown
@@ -386,6 +481,13 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    v['source'] = "syscall"
 	 end
 	 -- Add an empty exceptions property to the rule if not
 	 -- defined, but add a warning about defining one
 	 if v['exceptions'] == nil then
 	    warnings[#warnings + 1] = "Rule "..v['rule']..": consider adding an exceptions property to define supported exceptions fields"
 	    v['exceptions'] = {}
 	 end
 	 -- Possibly append to the condition field of an existing rule
 	 append = false
@@ -393,21 +495,100 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    append = v['append']
 	 end
 	 -- Validate the contents of the rule exception
 	 if next(v['exceptions']) ~= nil then
 	    -- This validation only applies if append=false. append=true validation is handled below
 	    if append == false then
 	       for _, eitem in ipairs(v['exceptions']) do
 		  if eitem['name'] == nil then
 		     return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
 		  end
 		  if eitem['fields'] == nil then
 		     return false, build_error_with_context(v['context'], "Rule exception item "..eitem['name']..": must have fields property with a list of fields"), warnings
 		  end
 		  if eitem['values'] == nil then
 		     -- An empty values array is okay
 		     eitem['values'] = {}
 		  end
 		  -- Different handling if the fields property is a single item vs a list
 		  local valid, err
 		  if type(eitem['fields']) == "table" then
 		     valid, err = validate_exception_item_multi_fields(eitem, v['context'])
 		  else
 		     valid, err = validate_exception_item_single_field(eitem, v['context'])
 		  end
 		  if valid == false then
 		     return valid, err
 		  end
 	       end
 	    end
 	 end
 	 if append then
-	    -- For append rules, all you need is the condition
+	    -- For append rules, either condition or exceptions must be specified
-	    for j, field in ipairs({'condition'}) do
+	    if (v['condition'] == nil and v['exceptions'] == nil) then
-	       if (v[field] == nil) then
+	       return false, build_error_with_context(v['context'], "Rule must have exceptions or condition property"), warnings
 		  return false, build_error_with_context(v['context'], "Rule must have property "..field)
 	       end
 	    end
 	    if state.rules_by_name[v['rule']] == nil then
 	       if state.skipped_rules_by_name[v['rule']] == nil then
-		  return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists")
+		  return false, build_error_with_context(v['context'], "Rule " ..v['rule'].. " has 'append' key but no rule by that name already exists"), warnings
 	       end
 	    else
-	       state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
+
 	       if next(v['exceptions']) ~= nil then
 		  for _, eitem in ipairs(v['exceptions']) do
 		     local name = eitem['name']
 		     local fields = eitem['fields']
 		     local comps = eitem['comps']
 		     if name == nil then
 			return false, build_error_with_context(v['context'], "Rule exception item must have name property"), warnings
 		     end
 		     -- You can't append exception fields or comps to a rule
 		     if fields ~= nil then
 			return false, build_error_with_context(v['context'], "Can not append exception fields to existing rule, only values"), warnings
 		     end
 		     if comps ~= nil then
 			return false, build_error_with_context(v['context'], "Can not append exception comps to existing rule, only values"), warnings
 		     end
 		     -- You can append values. They are added to the
 		     -- corresponding name, if it exists. If no
 		     -- exception with that name exists, add a
 		     -- warning.
 		     if eitem['values'] ~= nil then
 			local found=false
 			for _, reitem in ipairs(state.rules_by_name[v['rule']]['exceptions']) do
 			   if reitem['name'] == eitem['name'] then
 			      found=true
 			      for _, values in ipairs(eitem['values']) do
 				 reitem['values'][#reitem['values'] + 1] = values
 			      end
 			   end
 			end
 			if found == false then
 			   warnings[#warnings + 1] = "Rule "..v['rule'].." with append=true: no set of fields matching name "..eitem['name']
 			end
 		     end
 		  end
 	       end
 	       if v['condition'] ~= nil then
 		  state.rules_by_name[v['rule']]['condition'] = state.rules_by_name[v['rule']]['condition'] .. " " .. v['condition']
 	       end
 	    -- Add the current object to the context of the base rule
 	       state.rules_by_name[v['rule']]['context'] = state.rules_by_name[v['rule']]['context'].."\n"..v['context']
@@ -417,7 +598,7 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    for j, field in ipairs({'condition', 'output', 'desc', 'priority'}) do
 	       if (v[field] == nil) then
-		  return false, build_error_with_context(v['context'], "Rule must have property "..field)
+		  return false, build_error_with_context(v['context'], "Rule must have property "..field), warnings
 	       end
 	    end
@@ -446,16 +627,99 @@ function load_rules_doc(rules_mgr, doc, load_state)
 	    end
 	 end
      else
 	 -- Remove the context from the table, so the table is exactly what was parsed
 	 local context = v['context']
-	 v['context'] = nil
+
-	 return false, build_error_with_context(context, "Unknown rule object: "..table.tostring(v))
+	 arr = build_error_with_context(context, "Unknown top level object: "..table.tostring(v))
 	 warnings[#warnings + 1] = arr[1]
      end
   end
-   return true, ""
+   return true, {}, warnings
 end
 -- cond and not ((proc.name=apk and fd.directory=/usr/lib/alpine) or (proc.name=npm and fd.directory=/usr/node/bin) or ...)
 function build_exception_condition_string_multi_fields(eitem)
   local fields = eitem['fields']
   local comps = eitem['comps']
   local icond = ""
   for i, values in ipairs(eitem['values']) do
      if #fields ~= #values then
 	 return nil, "Exception item "..eitem['name']..": fields and values lists must have equal length"
      end
      if icond ~= "" then
 	 icond=icond.." or "
      end
      icond=icond.."("
      for k=1,#fields do
 	 if k > 1 then
 	    icond=icond.." and "
 	 end
 	 local ival = values[k]
 	 local istr = ""
 	 -- If ival is a table, express it as (titem1, titem2, etc)
 	 if type(ival) == "table" then
 	    istr = "("
 	    for _, item in ipairs(ival) do
 	       if istr ~= "(" then
 		  istr = istr..", "
 	       end
 	       istr = istr..quote_item(item)
 	    end
 	    istr = istr..")"
 	 else
 	    -- If the corresponding operator is one that works on lists, possibly add surrounding parentheses.
 	    if defined_list_comp_operators[comps[k]] then
 	       istr = paren_item(ival)
 	    else
 	       -- Quote the value if not already quoted
 	       istr = quote_item(ival)
 	    end
 	 end
 	 icond = icond..fields[k].." "..comps[k].." "..istr
      end
      icond=icond..")"
   end
   return icond, nil
 end
 function build_exception_condition_string_single_field(eitem)
   local icond = ""
   for i, value in ipairs(eitem['values']) do
      if icond == "" then
 	 icond = "("..eitem['fields'].." "..eitem['comps'].." ("
      else
 	 icond = icond..", "
      end
      icond = icond..quote_item(value)
   end
   icond = icond.."))"
   return icond, nil
 end
 -- Returns:
 -- - Load Result: bool
 -- - required engine version. will be nil when load result is false
 -- - List of Errors
 -- - List of Warnings
 function load_rules(sinsp_lua_parser,
 		    json_lua_parser,
 		    rules_content,
@@ -466,6 +730,8 @@ function load_rules(sinsp_lua_parser,
 		    replace_container_info,
 		    min_priority)
   local warnings = {}
   local load_state = {lines={}, indices={}, cur_item_idx=0, min_priority=min_priority, required_engine_version=0}
   load_state.lines, load_state.indices = split_lines(rules_content)
@@ -487,36 +753,42 @@ function load_rules(sinsp_lua_parser,
      row = tonumber(row)
      col = tonumber(col)
-      return false, build_error(load_state.lines, row, 3, docs)
+      return false, nil, build_error(load_state.lines, row, 3, docs), warnings
   end
   if docs == nil then
      -- An empty rules file is acceptable
-      return true, load_state.required_engine_version
+      return true, load_state.required_engine_version, {}, warnings
   end
   if type(docs) ~= "table" then
-      return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
+      return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
   end
   for docidx, doc in ipairs(docs) do
      if type(doc) ~= "table" then
-	 return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml")
+	 return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml"), warnings
      end
      -- Look for non-numeric indices--implies that document is not array
      -- of objects.
      for key, val in pairs(doc) do
 	 if type(key) ~= "number" then
-	    return false, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects")
+	    return false, nil, build_error(load_state.lines, 1, 1, "Rules content is not yaml array of objects"), warnings
 	 end
      end
-      res, errstr = load_rules_doc(rules_mgr, doc, load_state)
+      res, errors, doc_warnings = load_rules_doc(rules_mgr, doc, load_state)
      if (doc_warnings ~= nil) then
 	 for idx, warning in pairs(doc_warnings) do
 	    table.insert(warnings, warning)
 	 end
      end
      if not res then
-	 return res, errstr
+	 return res, nil, errors, warnings
      end
   end
@@ -538,7 +810,7 @@ function load_rules(sinsp_lua_parser,
      -- the items and expand any references to the items in the list
      for i, item in ipairs(v['items']) do
 	 if (state.lists[item] == nil) then
-	    items[#items+1] = item
+	    items[#items+1] = quote_item(item)
 	 else
 	    for i, exp_item in ipairs(state.lists[item].items) do
 	       items[#items+1] = exp_item
@@ -556,7 +828,7 @@ function load_rules(sinsp_lua_parser,
      local status, ast = compiler.compile_macro(v['condition'], state.macros, state.lists)
      if status == false then
-	 return false, build_error_with_context(v['context'], ast)
+	 return false, nil, build_error_with_context(v['context'], ast), warnings
      end
      if v['source'] == "syscall" then
@@ -572,6 +844,38 @@ function load_rules(sinsp_lua_parser,
      local v = state.rules_by_name[name]
      local econd = ""
      -- Turn exceptions into condition strings and add them to each
      -- rule's condition
      for _, eitem in ipairs(v['exceptions']) do
 	 local icond, err
 	 if type(eitem['fields']) == "table" then
 	    icond, err = build_exception_condition_string_multi_fields(eitem)
 	 else
 	    icond, err = build_exception_condition_string_single_field(eitem)
 	 end
 	 if err ~= nil then
 	    return false, nil, build_error_with_context(v['context'], err), warnings
 	 end
 	 if icond ~= "" then
 	    if econd == "" then
 	       econd = econd.." and not ("..icond
 	    else
 	       econd = econd.." or "..icond
 	    end
 	 end
      end
      if econd ~= "" then
 	 econd=econd..")"
 	 state.rules_by_name[name]['condition'] = "("..state.rules_by_name[name]['condition']..") "..econd
      end
      warn_evttypes = true
      if v['warn_evttypes'] ~= nil then
 	 warn_evttypes = v['warn_evttypes']
@@ -581,7 +885,7 @@ function load_rules(sinsp_lua_parser,
 								  state.macros, state.lists)
      if status == false then
-	 return false, build_error_with_context(v['context'], filter_ast)
+	 return false, nil, build_error_with_context(v['context'], filter_ast), warnings
      end
      local evtttypes = {}
@@ -631,12 +935,10 @@ function load_rules(sinsp_lua_parser,
 	 end
 	 if not found then
-	    if v['skip-if-unknown-filter'] then
+	    msg = "rule \""..v['rule'].."\" contains unknown filter "..filter
-	       if verbose then
+	    warnings[#warnings + 1] = msg
-		  print("Skipping rule \""..v['rule'].."\" that contains unknown filter "..filter)
+
-	       end
+	    if not v['skip-if-unknown-filter'] then
 	       goto next_rule
 	    else
 	       error("Rule \""..v['rule'].."\" contains unknown filter "..filter)
 	    end
 	 end
@@ -719,30 +1021,30 @@ function load_rules(sinsp_lua_parser,
 	 formatter = formats.formatter(v['source'], v['output'])
 	 formats.free_formatter(v['source'], formatter)
      else
-	 return false, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type)
+	 return false, nil, build_error_with_context(v['context'], "Unexpected type in load_rule: "..filter_ast.type), warnings
      end
      ::next_rule::
   end
-   if verbose then
+   -- Print info on any dangling lists or macros that were not used anywhere
-      -- Print info on any dangling lists or macros that were not used anywhere
+   for name, macro in pairs(state.macros) do
-      for name, macro in pairs(state.macros) do
+      if macro.used == false then
-	 if macro.used == false then
+	 msg = "macro "..name.." not refered to by any rule/macro"
-	    print("Warning: macro "..name.." not refered to by any rule/macro")
+	 warnings[#warnings + 1] = msg
 	 end
      end
   end
-      for name, list in pairs(state.lists) do
+   for name, list in pairs(state.lists) do
-	 if list.used == false then
+      if list.used == false then
-	    print("Warning: list "..name.." not refered to by any rule/macro/list")
+	 msg = "list "..name.." not refered to by any rule/macro/list"
-	 end
+	 warnings[#warnings + 1] = msg
      end
   end
   io.flush()
-   return true, load_state.required_engine_version
+   return true, load_state.required_engine_version, {}, warnings
 end
 local rule_fmt = "%-50s %s"
--- a/userspace/engine/rules.cpp
+++ b/userspace/engine/rules.cpp
@@ -14,8 +14,9 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 #include <sstream>
 #include "rules.h"
 #include "logger.h"
 extern "C" {
 #include "lua.h"
@@ -219,6 +220,31 @@ int falco_rules::engine_version(lua_State *ls)
 	return 1;
 }
 static std::list<std::string> get_lua_table_values(lua_State *ls, int idx)
 {
 	std::list<std::string> ret;
 	if (lua_isnil(ls, idx)) {
 		return ret;
 	}
 	lua_pushnil(ls);  /* first key */
 	while (lua_next(ls, idx-1) != 0) {
                // key is at index -2, value is at index
                // -1. We want the values.
 		if (! lua_isstring(ls, -1)) {
 			std::string err = "Non-string value in table of strings";
 			throw falco_exception(err);
 		}
 		ret.push_back(string(lua_tostring(ls, -1)));
 		// Remove value, keep key for next iteration
 		lua_pop(ls, 1);
 	}
 	return ret;
 }
 void falco_rules::load_rules(const string &rules_content,
 			     bool verbose, bool all_events,
 			     string &extra, bool replace_container_info,
@@ -424,7 +450,7 @@ void falco_rules::load_rules(const string &rules_content,
 		lua_pushstring(m_ls, extra.c_str());
 		lua_pushboolean(m_ls, (replace_container_info ? 1 : 0));
 		lua_pushnumber(m_ls, min_priority);
-		if(lua_pcall(m_ls, 9, 2, 0) != 0)
+		if(lua_pcall(m_ls, 9, 4, 0) != 0)
 		{
 			const char* lerr = lua_tostring(m_ls, -1);
@@ -433,20 +459,49 @@ void falco_rules::load_rules(const string &rules_content,
 			throw falco_exception(err);
 		}
-		// Either returns (true, required_engine_version), or (false, error string)
+		// Returns:
-		bool successful = lua_toboolean(m_ls, -2);
+		// Load result: bool
 		// required engine version: will be nil when load result is false
 		// array of errors
 		// array of warnings
 		bool successful = lua_toboolean(m_ls, -4);
 		required_engine_version = lua_tonumber(m_ls, -3);
 		std::list<std::string> errors = get_lua_table_values(m_ls, -2);
 		std::list<std::string> warnings = get_lua_table_values(m_ls, -1);
-		if(successful)
+		// Concatenate errors/warnings
 		std::ostringstream os;
 		if (errors.size() > 0)
 		{
-			required_engine_version = lua_tonumber(m_ls, -1);
+			os << errors.size() << " errors:" << std::endl;
-		}
+			for(auto err : errors)
-		else
+			{
-		{
+				os << err << std::endl;
-			std::string err = lua_tostring(m_ls, -1);
+			}
 			throw falco_exception(err);
 		}
-		lua_pop(m_ls, 2);
+		if (warnings.size() > 0)
 		{
 			os << warnings.size() << " warnings:" << std::endl;
 			for(auto warn : warnings)
 			{
 				os << warn << std::endl;
 			}
 		}
 		if(!successful)
 		{
 			throw falco_exception(os.str());
 		}
 		if (verbose && os.str() != "") {
 			// We don't really have a logging callback
 			// from the falco engine, but this would be a
 			// good place to use it.
 			fprintf(stderr, "When reading rules content: %s", os.str().c_str());
 		}
 		lua_pop(m_ls, 4);
 	} else {
 		throw falco_exception("No function " + m_lua_load_rules + " found in lua rule module");
--- a/userspace/falco/falco.cpp
+++ b/userspace/falco/falco.cpp
@@ -86,6 +86,7 @@ static void usage()
 	   " -h, --help                    Print this page\n"
 	   " -c                            Configuration file (default " FALCO_SOURCE_CONF_FILE ", " FALCO_INSTALL_CONF_FILE ")\n"
 	   " -A                            Monitor all events, including those with EF_DROP_SIMPLE_CONS flag.\n"
 	   " --alternate-lua-dir <path>    Specify an alternate path for loading Falco lua files\n"
 	   " -b, --print-base64            Print data buffers in base64.\n"
 	   "                               This is useful for encoding binary data that needs to be used over media designed to.\n"
 	   " --cri <path>                  Path to CRI socket for container metadata.\n"
@@ -478,37 +479,38 @@ int falco_init(int argc, char **argv)
 #endif
 	static struct option long_options[] =
-	{
+		{
-		{"cri", required_argument, 0},
+			{"alternate-lua-dir", required_argument, 0},
-        {"daemon", no_argument, 0, 'd'},
+			{"cri", required_argument, 0},
-        {"disable-cri-async", no_argument, 0, 0},
+			{"daemon", no_argument, 0, 'd'},
-        {"disable-source", required_argument, 0},
+			{"disable-cri-async", no_argument, 0, 0},
-        {"help", no_argument, 0, 'h'},
+			{"disable-source", required_argument, 0},
-        {"ignored-events", no_argument, 0, 'i'},
+			{"help", no_argument, 0, 'h'},
-        {"k8s-api-cert", required_argument, 0, 'K'},
+			{"ignored-events", no_argument, 0, 'i'},
-        {"k8s-api", required_argument, 0, 'k'},
+			{"k8s-api-cert", required_argument, 0, 'K'},
-        {"list", optional_argument, 0},
+			{"k8s-api", required_argument, 0, 'k'},
-        {"mesos-api", required_argument, 0, 'm'},
+			{"list", optional_argument, 0},
-        {"option", required_argument, 0, 'o'},
+			{"mesos-api", required_argument, 0, 'm'},
-        {"pidfile", required_argument, 0, 'P'},
+			{"option", required_argument, 0, 'o'},
-        {"print-base64", no_argument, 0, 'b'},
+			{"pidfile", required_argument, 0, 'P'},
-        {"print", required_argument, 0, 'p'},
+			{"print-base64", no_argument, 0, 'b'},
-        {"snaplen", required_argument, 0, 'S'},
+			{"print", required_argument, 0, 'p'},
-        {"stats-interval", required_argument, 0},
+			{"snaplen", required_argument, 0, 'S'},
-        {"support", no_argument, 0},
+			{"stats-interval", required_argument, 0},
-        {"unbuffered", no_argument, 0, 'U'},
+			{"support", no_argument, 0},
-        {"userspace", no_argument, 0, 'u'},
+			{"unbuffered", no_argument, 0, 'U'},
-        {"validate", required_argument, 0, 'V'},
+			{"userspace", no_argument, 0, 'u'},
-        {"version", no_argument, 0, 0},
+			{"validate", required_argument, 0, 'V'},
-        {"writefile", required_argument, 0, 'w'},
+			{"version", no_argument, 0, 0},
-		{0, 0, 0, 0}
+			{"writefile", required_argument, 0, 'w'},
-	};
+			{0, 0, 0, 0}};
 	try
 	{
 		set<string> disabled_rule_substrings;
 		string substring;
 		string all_rules = "";
 		string alternate_lua_dir = FALCO_ENGINE_SOURCE_LUA_DIR;
 		set<string> disabled_rule_tags;
 		set<string> enabled_rule_tags;
@@ -686,6 +688,16 @@ int falco_init(int argc, char **argv)
 						disable_sources.insert(optarg);
 					}
 				}
 				else if (string(long_options[long_index].name)== "alternate-lua-dir")
 				{
 					if(optarg != NULL)
 					{
 						alternate_lua_dir = optarg;
 						if (alternate_lua_dir.back() != '/') {
 							alternate_lua_dir += '/';
 						}
 					}
 				}
 				break;
 			default:
@@ -721,7 +733,7 @@ int falco_init(int argc, char **argv)
 			return EXIT_SUCCESS;
 		}
-		engine = new falco_engine();
+		engine = new falco_engine(true, alternate_lua_dir);
 		engine->set_inspector(inspector);
 		engine->set_extra(output_format, replace_container_info);
@@ -804,7 +816,7 @@ int falco_init(int argc, char **argv)
 				}
 				catch(falco_exception &e)
 				{
-					printf("%s%s\n", prefix.c_str(), e.what());
+					printf("%s%s", prefix.c_str(), e.what());
 					throw;
 				}
 				printf("%sOk\n", prefix.c_str());
@@ -861,7 +873,15 @@ int falco_init(int argc, char **argv)
 			falco_logger::log(LOG_INFO, "Loading rules from file " + filename + ":\n");
 			uint64_t required_engine_version;
-			engine->load_rules_file(filename, verbose, all_events, required_engine_version);
+			try {
 				engine->load_rules_file(filename, verbose, all_events, required_engine_version);
 			}
 			catch(falco_exception &e)
 			{
 				std::string prefix = "Could not load rules file " + filename + ": ";
 				throw falco_exception(prefix + e.what());
 			}
 			required_engine_versions[filename] = required_engine_version;
 		}
@@ -965,7 +985,8 @@ int falco_init(int argc, char **argv)
 			      config.m_notifications_rate, config.m_notifications_max_burst,
 			      config.m_buffered_outputs,
 			      config.m_time_format_iso_8601,
-			      hostname);
+			      hostname,
 			      alternate_lua_dir);
 		if(!all_events)
 		{
@@ -1171,8 +1192,8 @@ int falco_init(int argc, char **argv)
 						falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 					}
 					open_f(inspector);
-				} 
+				}
-				else 
+				else
 				{
 					rethrow_exception(current_exception());
 				}
@@ -1281,7 +1302,7 @@ int falco_init(int argc, char **argv)
 		if(!trace_filename.empty() && !trace_is_scap)
 		{
-#ifndef MINIMAL_BUILD			
+#ifndef MINIMAL_BUILD
 			read_k8s_audit_trace_file(engine,
 						  outputs,
 						  trace_filename);
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@@ -78,7 +78,8 @@ falco_outputs::~falco_outputs()
 void falco_outputs::init(bool json_output,
 			 bool json_include_output_property,
 			 uint32_t rate, uint32_t max_burst, bool buffered,
-			 bool time_format_iso_8601, string hostname)
+			 bool time_format_iso_8601, string hostname,
 			 const string& alternate_lua_dir)
 {
 	// The engine must have been given an inspector by now.
 	if(!m_inspector)
@@ -88,7 +89,7 @@ void falco_outputs::init(bool json_output,
 	m_json_output = json_output;
-	falco_common::init(m_lua_main_filename.c_str(), FALCO_SOURCE_LUA_DIR);
+	falco_common::init(m_lua_main_filename.c_str(), alternate_lua_dir.c_str());
 	// Note that falco_formats is added to both the lua state used
 	// by the falco engine as well as the separate lua state used
--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@@ -54,7 +54,8 @@ public:
 	void init(bool json_output,
 		  bool json_include_output_property,
 		  uint32_t rate, uint32_t max_burst, bool buffered,
-		  bool time_format_iso_8601, std::string hostname);
+		  bool time_format_iso_8601, std::string hostname,
 		  const std::string& alternate_lua_dir);
 	void add_output(output_config oc);
Author	SHA1	Message	Date
Mark Stemm	dbd4ff08eb	Rules changes (WIP) Got as far as the two big rules (write below etc/write below root). Still need to do the rest, and also k8s_audit.	2020-10-13 17:36:36 -07:00
Mark Stemm	9c70ae19be	Squash w/ code commit: single field exceptions If an exception has a single value for the "fields" property, values are combined into a single set to build a condition string like "field cmp (val1, val2, ...)".	2020-10-13 11:20:32 -07:00
Mark Stemm	9cb25be5bd	Squash w/ test commit.	2020-10-13 11:20:12 -07:00
Mark Stemm	1f533e5964	Bump falco engine version to 8 for exceptions. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-12 15:46:54 -07:00
Mark Stemm	854318cacf	Allow lists/list names to be exception values Allow lists or list names to be exception values. The list is expanded if directly included as a values item. If it's just a string, it's assumed to be a list name. Parentheses are added if needed but otherwise the list expansion is done when compiling the condition string. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-12 15:43:23 -07:00
Mark Stemm	0cc10b0fbe	Tests for exceptions using lists. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-12 15:43:02 -07:00
Mark Stemm	e3f1ac1be3	Don't look for event counts with -V/validate When running falco with -V/valdiate <rules file>, you won't get any event counts. All prior tests didn't get this far as they also resulted in rules parsing errors. However, validating can now result in warnings only. This won't exit but won't print event counts either. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-09 13:27:53 -07:00
Mark Stemm	fb4e07e220	Automated tests for exceptions Handle various positive and negative cases. Should handle every error and warning path when reading exceptions objects or rule exception fields, and various positive cases of using exceptions to prevent alerts. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-09 13:27:46 -07:00
Mark Stemm	9014153d7b	Support exceptions properties on rules Support exceptions properties on rules as described in https://github.com/falcosecurity/falco/pull/1376. - When parsing rules, add an empty exceptions table if not specified. - If exceptions are specified, they must contain names and lists of fields, and optionally can contain lists of comps and lists of lists of values. - If comps are not specified, = is used. - If a rule has exceptions and append:true, add values to the original rule's exception values with the matching name. - It's a warning but not an error to have exception values with a name not matching any fields. - After loading all rules, iterate through each rule's exception values, finding the matching field names (field1, field2, ...) and comp operators (cmp1, cmp2, ...), then iterating over the list of field values (val1a, val1b, ...), (val2a, val2b, ...), building up a string of the form: and not ((field1 cmp1 val1a and field2 cmp2 val1b and ...) or (field1 cmp1 val2a and field2 cmp2 val2b and ...)... )" - If a value is not already quoted, quote it in the string Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-09 13:20:10 -07:00
Mark Stemm	0bb6addcc0	Update tests to add error counts When validating, the output has a summary of error/warning counts, so update tests appropriately. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-05 09:03:30 -07:00
Mark Stemm	3aa8ff6e84	Allow unknown top level obs as warnings When parsing a rules file, if a top level object is not one of the known types rule, macro, list, required_engine_version, instead of failing parsing, add a warning instead. This adds some forwards-compatibility to rules files. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-05 09:03:27 -07:00
Mark Stemm	a4b7d46717	Pass back warnings when loading rules Add the notion of warnings when loading rules, which are printed if verbose is true: - load_rules now returns a tuple (success, required engine version, error array, warnings array) instead of (true, required engine version) or (false, error string) - build_error/build_error_with_context now returns an array instead of string value. - warnings are combined across calls to load_rules_doc - Current warnings include: - a rule that contains an unknown filter - a macro not referred to by any rule - a list not referred to by any rule/macro/list Any errors/warnings are concatenated into the exception if success was false. Any errors/warnings will be printed if verbose is true. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-05 09:03:23 -07:00
Leonardo Di Donato	0a449afc3e	docs: fix release notes for 0.26.0 (previous) Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-10-01 14:19:48 +02:00
Leonardo Di Donato	e06e89b3d0	docs: CHANGELOG for 0.26.1 Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-10-01 14:19:48 +02:00
Leo Di Donato	1500e74844	docs: release candency Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>	2020-10-01 13:41:55 +02:00
Leonardo Di Donato	db9fe762a4	docs: notify the community the Falco releases happen every two months starting from today Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-10-01 13:41:55 +02:00
Leo Di Donato	2fd9ad1433	docs: add download/images table to release corpus template Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-10-01 13:41:55 +02:00
Mark Stemm	879bf37ffd	rule(Write below root): require proc.name Like other rules that rely on a process name for exceptions, don't trigger an event if the process name is missing e.g. "<NA>". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-01 11:33:45 +02:00
Mark Stemm	fc4355dd15	rule(Delete....shell history): Skip docker progs Also ignore docker programs which would prevent cases where the path is expressed within the container filesystem (/.bash_history) vs host filesystem (/var/lib/docker/overlay/.../.bash_history). Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-01 11:33:45 +02:00
Mark Stemm	1c7fca95e4	rule(Delete or rename shell history):fix warning Move the "and not" checks to the end of the rule so all event type checks are at the front. Also break into 3 macros to make the rule easier to read. This fixes https://github.com/falcosecurity/falco/issues/1418. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-10-01 11:33:45 +02:00
Radu Andries	bc1aeaceb2	feat(falco): Provide a parameter for loading lua files from an alternate path This will be used by the static build to load lua files from alternate directories that are not tied to the compile flags Signed-off-by: Radu Andries <radu.andries@sysdig.com>	2020-09-29 18:05:10 +02:00
Lorenzo Fontana	6bcc11aa47	build: standalone static analysis step Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>	2020-09-29 14:44:28 +02:00
Lorenzo Fontana	bbf044060a	build: quality, install ca-certificates and attach only after that Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>	2020-09-29 14:44:28 +02:00
Lorenzo Fontana	4f86e3e68b	build: static code analysis CI reports Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>	2020-09-29 14:44:28 +02:00
Lorenzo Fontana	a51c4fc903	build: static code analysis structure and cppcheck Signed-off-by: Lorenzo Fontana <fontanalorenz@gmail.com>	2020-09-29 14:44:28 +02:00
Leo Di Donato	271e23ce97	docs(brand): documenting Falco color scheme Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>	2020-09-28 15:15:36 +02:00
Kris Nóva	404762bd34	feat(release): Updating notes according to PR Signed-off-by: Kris Nóva <kris@nivenly.com>	2020-09-25 08:18:48 -07:00
Kris Nóva	20f5e5d35a	feat(release): Release 0.26 Cutting release for 0.26.0 and starting 0.27.0 Signed-off-by: Kris Nóva <kris@nivenly.com>	2020-09-25 08:18:48 -07:00
Mark Stemm	33793d233b	Rule(Disallowed K8s User): quote colons It turns out if you read this rules file with falco versions 0.24.0 and earlier, it can't parse the bare string containing colons: (Ignore the misleading error context, that's a different problem): ``` Thu Sep 10 10:31:23 2020: Falco initialized with configuration file /etc/falco/falco.yaml Thu Sep 10 10:31:23 2020: Loading rules from file /tmp/k8s_audit_rules.yaml: Thu Sep 10 10:31:23 2020: Runtime error: found unexpected ':' --- source: k8s_audit tags: [k8s] # In a local/user rules file, you could override this macro to ``` I think the change in 0.25.0 to use a bundled libyaml fixed the problem, as it also upgraded libyaml to a version that fixed https://github.com/yaml/libyaml/pull/104. Work around the problem with earlier falco releases by quoting the colon. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-09-23 17:48:36 +02:00
Mark Stemm	331b2971be	rule(Delete or rename shell history):skip dockerfs In some cases, when removing a container, dockerd will itself remove the entire overlay filesystem, including a shell history file: --- Shell history had been deleted or renamed (user=root type=unlinkat command=dockerd -H fd:// ... name=/var/lib/docker/overlay2/.../root/.bash_history .. --- To avoid these FPs, skip paths starting with /var/lib/docker. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>	2020-09-23 17:48:36 +02:00
Leonardo Grasso	558b18ea67	build: update the driver version to 2aa88dc Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2020-09-18 17:27:45 +02:00
Leonardo Grasso	bbfb27777b	build: remove macrodefs about time (musl build) See https://github.com/draios/sysdig/pull/1684 Signed-off-by: Leonardo Grasso <me@leonardograsso.com>	2020-09-18 17:27:45 +02:00
Hiroki Suezawa	5b926386a8	rule(macro consider_packet_socket_communication): change a value to always_true Signed-off-by: Hiroki Suezawa <suezawa@gmail.com>	2020-09-18 09:47:10 +02:00