# # Copyright (C) 2016-2018 Draios Inc dba Sysdig. # # This file is part of falco. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # trace_files: !mux builtin_rules_no_warnings: detect: False trace_file: trace_files/empty.scap rules_warning: False test_warnings: detect: False trace_file: trace_files/empty.scap rules_file: rules/falco_rules_warnings.yaml rules_warning: - no_evttype - evttype_not_equals - leading_not - not_equals_at_end - not_at_end - not_before_trailing_evttype - not_equals_before_trailing_evttype - not_equals_and_not - not_equals_before_in - not_before_in - not_in_before_in - leading_in_not_equals_before_evttype - leading_in_not_equals_at_evttype - not_with_evttypes - not_with_evttypes_addl - not_equals_before_evttype - not_equals_before_in_evttype - not_before_evttype - not_before_evttype_using_in rules_events: - no_warnings: [execve] - no_evttype: [all] - evttype_not_equals: [all] - leading_not: [all] - not_equals_after_evttype: [execve] - not_after_evttype: [execve] - leading_trailing_evttypes: [execve,open] - leading_multtrailing_evttypes: [connect,execve,open] - leading_multtrailing_evttypes_using_in: [connect,execve,open] - not_equals_at_end: [all] - not_at_end: [all] - not_before_trailing_evttype: [all] - not_equals_before_trailing_evttype: [all] - not_equals_and_not: [all] - not_equals_before_in: [all] - not_before_in: [all] - not_in_before_in: [all] - evttype_in: [execve,open] - evttype_in_plus_trailing: [connect,execve,open] - leading_in_not_equals_before_evttype: [all] - leading_in_not_equals_at_evttype: [all] - not_with_evttypes: [all] - not_with_evttypes_addl: [all] - not_equals_before_evttype: [all] - not_equals_before_in_evttype: [all] - not_before_evttype: [all] - not_before_evttype_using_in: [all] - repeated_evttypes: [open] - repeated_evttypes_with_in: [open] - repeated_evttypes_with_separate_in: [open] - repeated_evttypes_with_mix: [open] rule_names_with_spaces: detect: True detect_level: WARNING rules_file: - rules/rule_names_with_spaces.yaml trace_file: trace_files/cat_write.scap multiple_rules_first_empty: detect: True detect_level: WARNING rules_file: - rules/empty_rules.yaml - rules/single_rule.yaml trace_file: trace_files/cat_write.scap multiple_rules_last_empty: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml - rules/empty_rules.yaml trace_file: trace_files/cat_write.scap multiple_rules: detect: True detect_level: - WARNING - INFO - ERROR rules_file: - rules/single_rule.yaml - rules/double_rule.yaml trace_file: trace_files/cat_write.scap all_events: True rules_directory: detect: True detect_level: - WARNING - INFO - ERROR rules_file: - rules/rules_dir trace_file: trace_files/cat_write.scap all_events: True multiple_rules_suppress_info: detect: True detect_level: - WARNING - ERROR priority: WARNING detect_counts: - open_from_cat: 8 - exec_from_cat: 1 - access_from_cat: 0 rules_file: - rules/single_rule.yaml - rules/double_rule.yaml trace_file: trace_files/cat_write.scap all_events: True multiple_rules_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_rule.yaml trace_file: trace_files/cat_write.scap macro_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_macro.yaml trace_file: trace_files/cat_write.scap list_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_list.yaml trace_file: trace_files/cat_write.scap nested_list_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_nested_list.yaml trace_file: trace_files/cat_write.scap list_substring: detect: False rules_file: - rules/list_substring.yaml trace_file: trace_files/cat_write.scap list_sub_front: detect: True detect_level: WARNING rules_file: - rules/list_sub_front.yaml trace_file: trace_files/cat_write.scap list_sub_mid: detect: True detect_level: WARNING rules_file: - rules/list_sub_mid.yaml trace_file: trace_files/cat_write.scap list_sub_end: detect: True detect_level: WARNING rules_file: - rules/list_sub_end.yaml trace_file: trace_files/cat_write.scap list_sub_bare: detect: True detect_level: WARNING rules_file: - rules/list_sub_bare.yaml trace_file: trace_files/cat_write.scap list_sub_whitespace: detect: True detect_level: WARNING rules_file: - rules/list_sub_whitespace.yaml trace_file: trace_files/cat_write.scap list_order: detect: True detect_level: WARNING rules_file: - rules/list_order.yaml trace_file: trace_files/cat_write.scap macro_order: detect: True detect_level: WARNING rules_file: - rules/macro_order.yaml trace_file: trace_files/cat_write.scap rule_order: detect: True detect_level: WARNING rules_file: - rules/rule_order.yaml trace_file: trace_files/cat_write.scap endswith: detect: True detect_level: WARNING rules_file: - rules/endswith.yaml trace_file: trace_files/cat_write.scap invalid_not_yaml: exit_status: 1 stdout_is: |+ Rules content is not yaml --- This is not yaml --- validate_rules_file: - rules/invalid_not_yaml.yaml trace_file: trace_files/cat_write.scap invalid_not_array: exit_status: 1 stdout_is: |+ Rules content is not yaml array of objects --- foo: bar --- validate_rules_file: - rules/invalid_not_array.yaml trace_file: trace_files/cat_write.scap invalid_array_item_not_object: exit_status: 1 stdout_is: |+ Unexpected element of type string. Each element should be a yaml associative array. --- - foo --- validate_rules_file: - rules/invalid_array_item_not_object.yaml trace_file: trace_files/cat_write.scap invalid_unexpected object: exit_status: 1 stdout_is: |+ Unknown rule object: {foo="bar"} --- - foo: bar --- validate_rules_file: - rules/invalid_unexpected_object.yaml trace_file: trace_files/cat_write.scap invalid_engine_version_not_number: exit_status: 1 stdout_is: |+ Value of required_engine_version must be a number --- - required_engine_version: not-a-number --- validate_rules_file: - rules/invalid_engine_version_not_number.yaml trace_file: trace_files/cat_write.scap invalid_yaml_parse_error: exit_status: 1 stdout_is: |+ mapping values are not allowed in this context --- this : is : not : yaml --- validate_rules_file: - rules/invalid_yaml_parse_error.yaml trace_file: trace_files/cat_write.scap invalid_list_without_items: exit_status: 1 stdout_is: |+ List must have property items --- - list: bad_list no_items: foo --- validate_rules_file: - rules/invalid_list_without_items.yaml trace_file: trace_files/cat_write.scap invalid_macro_without_condition: exit_status: 1 stdout_is: |+ Macro must have property condition --- - macro: bad_macro nope: 1 --- validate_rules_file: - rules/invalid_macro_without_condition.yaml trace_file: trace_files/cat_write.scap invalid_rule_without_output: exit_status: 1 stdout_is: |+ Rule must have property output --- - rule: no output rule desc: some desc condition: evt.type=fork priority: INFO --- validate_rules_file: - rules/invalid_rule_without_output.yaml trace_file: trace_files/cat_write.scap invalid_append_rule_without_condition: exit_status: 1 stdout_is: |+ Rule must have property condition --- - rule: no condition rule append: true --- validate_rules_file: - rules/invalid_append_rule_without_condition.yaml trace_file: trace_files/cat_write.scap invalid_append_macro_dangling: exit_status: 1 stdout_is: |+ Macro dangling append has 'append' key but no macro by that name already exists --- - macro: dangling append condition: and evt.type=execve append: true --- validate_rules_file: - rules/invalid_append_macro_dangling.yaml trace_file: trace_files/cat_write.scap invalid_list_append_dangling: exit_status: 1 stdout_is: |+ List my_list has 'append' key but no list by that name already exists --- - list: my_list items: [not-cat] append: true --- validate_rules_file: - rules/list_append_failure.yaml trace_file: trace_files/cat_write.scap invalid_rule_append_dangling: exit_status: 1 stdout_is: |+ Rule my_rule has 'append' key but no rule by that name already exists --- - rule: my_rule condition: evt.type=open append: true --- validate_rules_file: - rules/rule_append_failure.yaml trace_file: trace_files/cat_write.scap invalid_missing_rule_name: exit_status: 1 stdout_is: |+ Rule name is empty --- - rule: desc: some desc condition: evt.type=execve output: some output --- validate_rules_file: - rules/invalid_missing_rule_name.yaml trace_file: trace_files/cat_write.scap invalid_missing_list_name: exit_status: 1 stdout_is: |+ List name is empty --- - list: items: [foo] --- validate_rules_file: - rules/invalid_missing_list_name.yaml trace_file: trace_files/cat_write.scap invalid_missing_macro_name: exit_status: 1 stdout_is: |+ Macro name is empty --- - macro: condition: evt.type=execve --- validate_rules_file: - rules/invalid_missing_macro_name.yaml trace_file: trace_files/cat_write.scap invalid_rule_output: exit_status: 1 stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting." rules_file: - rules/invalid_rule_output.yaml trace_file: trace_files/cat_write.scap disabled_rules: detect: False rules_file: - rules/empty_rules.yaml - rules/single_rule.yaml disabled_rules: - open_from_cat trace_file: trace_files/cat_write.scap disabled_rules_using_regex: detect: False rules_file: - rules/empty_rules.yaml - rules/single_rule.yaml disabled_rules: - "open.*" trace_file: trace_files/cat_write.scap disabled_rules_using_enabled_flag: detect: False rules_file: - rules/single_rule_enabled_flag.yaml trace_file: trace_files/cat_write.scap disabled_and_enabled_rules_1: exit_status: 1 stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting." disable_tags: [a] run_tags: [a] rules_file: - rules/single_rule.yaml trace_file: trace_files/cat_write.scap disabled_and_enabled_rules_2: exit_status: 1 stderr_contains: "Runtime error: You can not specify both disabled .-D/-T. and enabled .-t. rules. Exiting." disabled_rules: - "open.*" run_tags: [a] rules_file: - rules/single_rule.yaml trace_file: trace_files/cat_write.scap null_output_field: detect: True detect_level: WARNING rules_file: - rules/null_output_field.yaml trace_file: trace_files/cat_write.scap stdout_contains: "Warning An open was seen .cport= command=cat /dev/null." file_output: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml conf_file: confs/file_output.yaml trace_file: trace_files/cat_write.scap outputs: - /tmp/falco_outputs/file_output.txt: Warning An open was seen program_output: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml conf_file: confs/program_output.yaml trace_file: trace_files/cat_write.scap outputs: - /tmp/falco_outputs/program_output.txt: Warning An open was seen detect_counts: detect: True detect_level: WARNING trace_file: traces-positive/falco-event-generator.scap detect_counts: - "Write below binary dir": 1 - "Read sensitive file untrusted": 3 - "Run shell untrusted": 1 - "Write below rpm database": 1 - "Write below etc": 1 - "System procs network activity": 1 - "Mkdir binary dirs": 1 - "System user interactive": 1 - "DB program spawned process": 1 - "Non sudo setuid": 1 - "Create files below dev": 1 - "Modify binary dirs": 2 - "Change thread namespace": 2 disabled_tags_a: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [a] detect_counts: - open_1: 0 - open_2: 1 - open_3: 1 - open_4: 0 - open_5: 0 - open_6: 1 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_b: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [b] detect_counts: - open_1: 1 - open_2: 0 - open_3: 1 - open_4: 0 - open_5: 1 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 1 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_c: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [c] detect_counts: - open_1: 1 - open_2: 1 - open_3: 0 - open_4: 1 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 1 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_ab: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [a, b] detect_counts: - open_1: 0 - open_2: 0 - open_3: 1 - open_4: 0 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_abc: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [a, b, c] detect_counts: - open_1: 0 - open_2: 0 - open_3: 0 - open_4: 0 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 run_tags_a: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [a] detect_counts: - open_1: 1 - open_2: 0 - open_3: 0 - open_4: 1 - open_5: 1 - open_6: 0 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_b: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [b] detect_counts: - open_1: 0 - open_2: 1 - open_3: 0 - open_4: 1 - open_5: 0 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 0 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_c: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [c] detect_counts: - open_1: 0 - open_2: 0 - open_3: 1 - open_4: 0 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 0 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_ab: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [a, b] detect_counts: - open_1: 1 - open_2: 1 - open_3: 0 - open_4: 1 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_bc: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [b, c] detect_counts: - open_1: 0 - open_2: 1 - open_3: 1 - open_4: 1 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_abc: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [a, b, c] detect_counts: - open_1: 1 - open_2: 1 - open_3: 1 - open_4: 1 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_d: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [d] detect_counts: - open_1: 0 - open_2: 0 - open_3: 0 - open_4: 0 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 0 - open_13: 0 list_append_failure: exit_status: 1 stderr_contains: "List my_list has 'append' key but no list by that name already exists" rules_file: - rules/list_append_failure.yaml trace_file: trace_files/cat_write.scap list_append: detect: True detect_level: WARNING rules_file: - rules/list_append.yaml trace_file: trace_files/cat_write.scap list_append_false: detect: False rules_file: - rules/list_append_false.yaml trace_file: trace_files/cat_write.scap macro_append_failure: exit_status: 1 stderr_contains: "Macro my_macro has 'append' key but no macro by that name already exists" rules_file: - rules/macro_append_failure.yaml trace_file: trace_files/cat_write.scap macro_append: detect: True detect_level: WARNING rules_file: - rules/macro_append.yaml trace_file: trace_files/cat_write.scap macro_append_false: detect: False rules_file: - rules/macro_append_false.yaml trace_file: trace_files/cat_write.scap rule_append_failure: exit_status: 1 stderr_contains: "Rule my_rule has 'append' key but no rule by that name already exists" rules_file: - rules/rule_append_failure.yaml trace_file: trace_files/cat_write.scap rule_append_skipped: detect: False priority: ERROR rules_file: - rules/single_rule.yaml - rules/append_single_rule.yaml trace_file: trace_files/cat_write.scap rule_append: detect: True detect_level: WARNING rules_file: - rules/rule_append.yaml trace_file: trace_files/cat_write.scap rule_append_false: detect: False rules_file: - rules/rule_append_false.yaml trace_file: trace_files/cat_write.scap json_output_no_output_property: json_output: True json_include_output_property: False detect: True detect_level: WARNING rules_file: - rules/rule_append.yaml trace_file: trace_files/cat_write.scap stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)" in_operator_netmasks: detect: True detect_level: INFO rules_file: - rules/detect_connect_using_in.yaml trace_file: trace_files/connect_localhost.scap syscalls: detect: True detect_level: INFO rules_file: - rules/syscalls.yaml detect_counts: - detect_madvise: 2 - detect_open: 2 trace_file: trace_files/syscall.scap all_events: True catchall_order: detect: True detect_level: INFO rules_file: - rules/catchall_order.yaml detect_counts: - open_dev_null: 1 dev_null: 0 trace_file: trace_files/cat_write.scap skip_unknown_noevt: detect: False stdout_contains: Skipping rule "Contains Unknown Event And Skipping" that contains unknown filter proc.nobody rules_file: - rules/skip_unknown_evt.yaml trace_file: trace_files/cat_write.scap skip_unknown_prefix: detect: False rules_file: - rules/skip_unknown_prefix.yaml trace_file: trace_files/cat_write.scap skip_unknown_error: exit_status: 1 stderr_contains: Rule "Contains Unknown Event And Not Skipping" contains unknown filter proc.nobody. Exiting. rules_file: - rules/skip_unknown_error.yaml trace_file: trace_files/cat_write.scap skip_unknown_unspec_error: exit_status: 1 stderr_contains: Rule "Contains Unknown Event And Unspecified" contains unknown filter proc.nobody. Exiting. rules_file: - rules/skip_unknown_unspec.yaml trace_file: trace_files/cat_write.scap engine_version_mismatch: exit_status: 1 stderr_contains: Rules require engine version 9999999, but engine version is rules_file: - rules/engine_version_mismatch.yaml trace_file: trace_files/cat_write.scap monitor_syscall_drops_none: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_none.yaml trace_file: trace_files/ping_sendto.scap stderr_not_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_ignore: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_ignore.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" stderr_not_contains: - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_log: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_log.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_alert: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_alert.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" stderr_not_contains: - "Falco internal: syscall event drop" stdout_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_exit: exit_status: 1 rules_file: - rules/single_rule.yaml conf_file: confs/drops_exit.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 1 occurrences" - "num times actions taken: 1" - "Falco internal: syscall event drop" - "Exiting." stdout_not_contains: - "Falco internal: syscall event drop" time_iso_8601: time_iso_8601: true detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml trace_file: trace_files/cat_write.scap stdout_contains: "2016-08-04T16:17:57.882054739\\+0000: Warning An open was seen" stderr_contains: "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\d\\+0000"