# # Copyright (C) 2020 The Falco Authors. # # This file is part of falco. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # trace_files: !mux builtin_rules_no_warnings: detect: False trace_file: trace_files/empty.scap # The rules_events part of this test was mistakenly disabled when # generic events (e.g. k8s_audit support) was added (#1715). # The implementation no longer prints messages of the form: # "Event types for rule (): () # And without that output, none of the checks below rules_events # are considered. # XXX/mstemm add it back test_warnings: detect: False trace_file: trace_files/empty.scap validate_rules_file: rules/falco_rules_warnings.yaml validate_warnings: - item_type: rule item_name: no_evttype code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: evttype_not_equals code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: leading_not code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: not_equals_at_end code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: not_at_end code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: not_equals_and_not code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: leading_in_not_equals_at_evttype code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: not_with_evttypes code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." - item_type: rule item_name: not_with_evttypes_addl code: LOAD_NO_EVTTYPE message: "Rule matches too many evt.type values. This has a significant performance penalty." rules_events: - no_warnings: [execve] - no_evttype: [all] - evttype_not_equals: [all] - leading_not: [all] - not_equals_after_evttype: [execve] - not_after_evttype: [execve] - leading_trailing_evttypes: [execve,open] - leading_multitrailing_evttypes: [connect,execve,open] - leading_multitrailing_evttypes_using_in: [connect,execve,open] - not_equals_at_end: [all] - not_at_end: [all] - not_before_trailing_evttype: [all] - not_equals_before_trailing_evttype: [all] - not_equals_and_not: [all] - not_equals_before_in: [all] - not_before_in: [all] - not_in_before_in: [all] - evttype_in: [execve,open] - evttype_in_plus_trailing: [connect,execve,open] - leading_in_not_equals_before_evttype: [all] - leading_in_not_equals_at_evttype: [all] - not_with_evttypes: [all] - not_with_evttypes_addl: [all] - not_equals_before_evttype: [all] - not_equals_before_in_evttype: [all] - not_before_evttype: [all] - not_before_evttype_using_in: [all] - repeated_evttypes: [open] - repeated_evttypes_with_in: [open] - repeated_evttypes_with_separate_in: [open] - repeated_evttypes_with_mix: [open] rule_names_with_spaces: detect: True detect_level: WARNING rules_file: - rules/rule_names_with_spaces.yaml trace_file: trace_files/cat_write.scap rule_names_with_regex_chars: detect: True detect_level: WARNING rules_file: - rules/rule_names_with_regex_chars.yaml detect_counts: - 'Open From Cat ($\.*+?()[]{}|^)': 8 trace_file: trace_files/cat_write.scap multiple_rules_first_empty: detect: True detect_level: WARNING rules_file: - rules/empty_rules.yaml - rules/single_rule.yaml trace_file: trace_files/cat_write.scap multiple_rules_last_empty: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml - rules/empty_rules.yaml trace_file: trace_files/cat_write.scap multiple_rules: detect: True detect_level: - WARNING - INFO - ERROR rules_file: - rules/single_rule.yaml - rules/double_rule.yaml trace_file: trace_files/cat_write.scap all_events: True multiple_docs: detect: True detect_level: - WARNING - INFO - ERROR rules_file: - rules/single_rule.yaml - rules/double_rule.yaml trace_file: trace_files/cat_write.scap all_events: True rules_directory: detect: True detect_level: - WARNING - INFO - ERROR rules_file: - rules/rules_dir trace_file: trace_files/cat_write.scap all_events: True multiple_rules_suppress_info: detect: True detect_level: - WARNING - ERROR priority: WARNING detect_counts: - open_from_cat: 8 - exec_from_cat: 1 - access_from_cat: 0 rules_file: - rules/single_rule.yaml - rules/double_rule.yaml trace_file: trace_files/cat_write.scap all_events: True multiple_rules_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_rule.yaml trace_file: trace_files/cat_write.scap macro_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_macro.yaml trace_file: trace_files/cat_write.scap list_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_list.yaml trace_file: trace_files/cat_write.scap nested_list_overriding: detect: False rules_file: - rules/single_rule.yaml - rules/override_nested_list.yaml trace_file: trace_files/cat_write.scap list_substring: detect: False rules_file: - rules/list_substring.yaml trace_file: trace_files/cat_write.scap list_sub_front: detect: True detect_level: WARNING rules_file: - rules/list_sub_front.yaml trace_file: trace_files/cat_write.scap list_sub_mid: detect: True detect_level: WARNING rules_file: - rules/list_sub_mid.yaml trace_file: trace_files/cat_write.scap list_sub_end: detect: True detect_level: WARNING rules_file: - rules/list_sub_end.yaml trace_file: trace_files/cat_write.scap list_sub_bare: detect: True detect_level: WARNING rules_file: - rules/list_sub_bare.yaml trace_file: trace_files/cat_write.scap list_sub_whitespace: detect: True detect_level: WARNING rules_file: - rules/list_sub_whitespace.yaml trace_file: trace_files/cat_write.scap list_order: detect: True detect_level: WARNING rules_file: - rules/list_order.yaml trace_file: trace_files/cat_write.scap macro_order: detect: True detect_level: WARNING rules_file: - rules/macro_order.yaml trace_file: trace_files/cat_write.scap rule_order: detect: True detect_level: WARNING rules_file: - rules/rule_order.yaml trace_file: trace_files/cat_write.scap endswith: detect: True detect_level: WARNING rules_file: - rules/endswith.yaml trace_file: trace_files/cat_write.scap invalid_not_yaml: exit_status: 1 validate_errors: - item_type: rules content item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Rules content is not yaml" validate_rules_file: - rules/invalid_not_yaml.yaml trace_file: trace_files/cat_write.scap invalid_not_array: exit_status: 1 validate_errors: - item_type: rules content item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Rules content is not yaml array of objects" validate_rules_file: - rules/invalid_not_array.yaml trace_file: trace_files/cat_write.scap invalid_array_item_not_object: exit_status: 1 validate_errors: - item_type: rules content item item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Unexpected element type. Each element should be a yaml associative array." validate_rules_file: - rules/invalid_array_item_not_object.yaml trace_file: trace_files/cat_write.scap invalid_engine_version_not_number: exit_status: 1 validate_errors: - item_type: required_engine_version item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Can't decode YAML scalar value" validate_rules_file: - rules/invalid_engine_version_not_number.yaml trace_file: trace_files/cat_write.scap invalid_yaml_parse_error: exit_status: 1 validate_errors: - item_type: rules content item_name: "" code: LOAD_ERR_YAML_PARSE message: "yaml-cpp: error at line 1, column 11: illegal map value" validate_rules_file: - rules/invalid_yaml_parse_error.yaml trace_file: trace_files/cat_write.scap invalid_list_without_items: exit_status: 1 validate_errors: - item_type: list item_name: bad_list code: LOAD_ERR_YAML_VALIDATE message: "Item has no mapping for key 'items'" validate_rules_file: - rules/invalid_list_without_items.yaml trace_file: trace_files/cat_write.scap invalid_macro_without_condition: exit_status: 1 validate_errors: - item_type: macro item_name: bad_macro code: LOAD_ERR_YAML_VALIDATE message: "Item has no mapping for key 'condition'" validate_rules_file: - rules/invalid_macro_without_condition.yaml trace_file: trace_files/cat_write.scap invalid_macro_loop: exit_status: 1 validate_errors: - item_type: macro item_name: macro_a code: LOAD_ERR_VALIDATE message_contains: "reference loop in macro" validate_rules_file: - rules/invalid_macro_loop.yaml invalid_rule_without_output: exit_status: 1 validate_errors: - item_type: rule item_name: no output rule code: LOAD_ERR_YAML_VALIDATE message: "Item has no mapping for key 'output'" validate_rules_file: - rules/invalid_rule_without_output.yaml trace_file: trace_files/cat_write.scap invalid_append_rule_without_condition: exit_status: 1 validate_errors: - item_type: rule item_name: no condition rule code: LOAD_ERR_VALIDATE message: "Appended rule must have exceptions or condition property" validate_rules_file: - rules/invalid_append_rule_without_condition.yaml trace_file: trace_files/cat_write.scap invalid_append_macro_dangling: exit_status: 1 validate_errors: - item_type: macro item_name: dangling append code: LOAD_ERR_VALIDATE message: "Macro has 'append' key but no macro by that name already exists" validate_rules_file: - rules/invalid_append_macro_dangling.yaml trace_file: trace_files/cat_write.scap invalid_list_append_dangling: exit_status: 1 validate_errors: - item_type: list item_name: my_list code: LOAD_ERR_VALIDATE message: "List has 'append' key but no list by that name already exists" validate_rules_file: - rules/list_append_failure.yaml trace_file: trace_files/cat_write.scap invalid_list_loop: exit_status: 1 validate_errors: - item_type: rule item_name: sample rule code: LOAD_ERR_COMPILE_CONDITION message: "unknown event type list_a" validate_rules_file: - rules/invalid_list_loop.yaml invalid_rule_append_dangling: exit_status: 1 validate_errors: - item_type: rule item_name: my_rule code: LOAD_ERR_VALIDATE message: "Rule has 'append' key but no rule by that name already exists" validate_rules_file: - rules/rule_append_failure.yaml trace_file: trace_files/cat_write.scap invalid_overwrite_macro: exit_status: 1 validate_ok: [invalid_base_macro.yaml] validate_errors: - item_type: macro item_name: some macro code: LOAD_ERR_VALIDATE message: "Undefined macro 'foo' used in filter." validate_warnings: - item_type: macro item_name: some macro code: LOAD_UNUSED_MACRO message: "Macro not referred to by any other rule/macro" validate_rules_file: - rules/invalid_base_macro.yaml - rules/invalid_overwrite_macro.yaml trace_file: trace_files/cat_write.scap invalid_append_macro: exit_status: 1 validate_ok: [invalid_base_macro.yaml] validate_errors: - item_type: macro item_name: some macro code: LOAD_ERR_COMPILE_CONDITION message: "unexpected token after 'execve', expecting 'or', 'and'" validate_warnings: - item_type: macro item_name: some macro code: LOAD_UNUSED_MACRO message: "Macro not referred to by any other rule/macro" validate_rules_file: - rules/invalid_base_macro.yaml - rules/invalid_append_macro.yaml trace_file: trace_files/cat_write.scap invalid_overwrite_macro_multiple_docs: exit_status: 1 validate_errors: - item_type: macro item_name: some macro code: LOAD_ERR_VALIDATE message: "Undefined macro 'foo' used in filter." validate_rules_file: - rules/invalid_overwrite_macro_multiple_docs.yaml trace_file: trace_files/cat_write.scap invalid_append_macro_multiple_docs: exit_status: 1 validate_errors: - item_type: macro item_name: some macro code: LOAD_ERR_COMPILE_CONDITION message: "unexpected token after 'execve', expecting 'or', 'and'" validate_rules_file: - rules/invalid_append_macro_multiple_docs.yaml trace_file: trace_files/cat_write.scap invalid_overwrite_rule: exit_status: 1 validate_ok: [invalid_base_rule.yaml] validate_errors: - item_type: rule item_name: some rule code: LOAD_ERR_VALIDATE message: "Undefined macro 'bar' used in filter." validate_rules_file: - rules/invalid_base_rule.yaml - rules/invalid_overwrite_rule.yaml trace_file: trace_files/cat_write.scap invalid_append_rule: exit_status: 1 validate_ok: [invalid_base_rule.yaml] validate_errors: - item_type: rule item_name: some rule code: LOAD_ERR_COMPILE_CONDITION message: "unexpected token after 'open', expecting 'or', 'and'" validate_rules_file: - rules/invalid_base_rule.yaml - rules/invalid_append_rule.yaml trace_file: trace_files/cat_write.scap invalid_overwrite_rule_multiple_docs: exit_status: 1 validate_errors: - item_type: rule item_name: some rule code: LOAD_ERR_VALIDATE message: "Undefined macro 'bar' used in filter." validate_rules_file: - rules/invalid_overwrite_rule_multiple_docs.yaml trace_file: trace_files/cat_write.scap invalid_append_rule_multiple_docs: exit_status: 1 validate_errors: - item_type: rule item_name: some rule code: LOAD_ERR_COMPILE_CONDITION message: "unexpected token after 'open', expecting 'or', 'and'" validate_rules_file: - rules/invalid_append_rule_multiple_docs.yaml trace_file: trace_files/cat_write.scap invalid_missing_rule_name: exit_status: 1 validate_errors: - item_type: rule item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Mapping for key 'rule' is empty" validate_rules_file: - rules/invalid_missing_rule_name.yaml trace_file: trace_files/cat_write.scap invalid_missing_list_name: exit_status: 1 validate_errors: - item_type: list item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Mapping for key 'list' is empty" validate_rules_file: - rules/invalid_missing_list_name.yaml trace_file: trace_files/cat_write.scap invalid_missing_macro_name: exit_status: 1 validate_errors: - item_type: macro item_name: "" code: LOAD_ERR_YAML_VALIDATE message: "Mapping for key 'macro' is empty" validate_rules_file: - rules/invalid_missing_macro_name.yaml trace_file: trace_files/cat_write.scap invalid_rule_output: exit_status: 1 validate_errors: - item_type: rule item_name: rule_with_invalid_output code: LOAD_ERR_COMPILE_OUTPUT message: "invalid formatting token not_a_real_field" validate_rules_file: - rules/invalid_rule_output.yaml trace_file: trace_files/cat_write.scap disabled_rules: detect: False rules_file: - rules/empty_rules.yaml - rules/single_rule.yaml disabled_rules: - open_from_cat trace_file: trace_files/cat_write.scap disabled_rules_using_substring: detect: False rules_file: - rules/empty_rules.yaml - rules/single_rule.yaml disabled_rules: - "open_from" trace_file: trace_files/cat_write.scap disabled_rules_using_enabled_flag: detect: False rules_file: - rules/single_rule_enabled_flag.yaml trace_file: trace_files/cat_write.scap disabled_rule_using_false_enabled_flag_only: detect: False rules_file: - rules/disabled_rule_using_enabled_flag_only.yaml trace_file: trace_files/cat_write.scap enabled_rule_using_false_enabled_flag_only: detect: True detect_level: WARNING rules_file: - rules/enabled_rule_using_enabled_flag_only.yaml trace_file: trace_files/cat_write.scap stdout_contains: "Warning An open was seen" disabled_and_enabled_rules_1: exit_status: 1 stderr_contains: "Error: You can not specify both disabled .-D/-T. and enabled .-t. rules" disable_tags: [a] run_tags: [a] rules_file: - rules/single_rule.yaml trace_file: trace_files/cat_write.scap disabled_and_enabled_rules_2: exit_status: 1 stderr_contains: "Error: You can not specify both disabled .-D/-T. and enabled .-t. rules" disabled_rules: - "open.*" run_tags: [a] rules_file: - rules/single_rule.yaml trace_file: trace_files/cat_write.scap null_output_field: detect: True detect_level: WARNING rules_file: - rules/null_output_field.yaml trace_file: trace_files/cat_write.scap stdout_contains: "Warning An open was seen .cport= command=cat /dev/null." stdout_output_strict: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml conf_file: confs/stdout_output.yaml trace_file: trace_files/cat_write.scap time_iso_8601: true output_strictly_contains: - stdout: output_files/single_rule_with_cat_write.txt stdout_output_json_strict: json_output: True detect: True detect_level: WARNING rules_file: - rules/single_rule_with_tags.yaml conf_file: confs/stdout_output.yaml trace_file: trace_files/cat_write.scap time_iso_8601: true output_strictly_contains: - stdout: output_files/single_rule_with_cat_write.json file_output_strict: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml conf_file: confs/file_output.yaml trace_file: trace_files/cat_write.scap time_iso_8601: true output_strictly_contains: - /tmp/falco_outputs/file_output.txt: output_files/single_rule_with_cat_write.txt program_output_strict: detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml conf_file: confs/program_output.yaml trace_file: trace_files/cat_write.scap time_iso_8601: true output_strictly_contains: - /tmp/falco_outputs/program_output.txt: output_files/single_rule_with_cat_write.txt grpc_unix_socket_outputs: detect: True detect_level: WARNING rules_file: - rules/single_rule_with_tags.yaml conf_file: confs/grpc_unix_socket.yaml trace_file: trace_files/cat_write.scap run_duration: 5 time_iso_8601: true grpc: address: unix:///tmp/falco/falco.sock proto: outputs.proto service: falco.outputs.service method: get # protobuf text format results: - "seconds:1470327477 nanos:881781397" - "priority: WARNING" - "rule: \"open_from_cat\"" - "output: \"2016-08-04T16:17:57.881781397+0000: Warning An open was seen (command=cat /dev/null)\"" # output fields - "key: \"evt.time.iso8601\"" - "value: \"2016-08-04T16:17:57.881781397+0000\"" - "key: \"proc.cmdline\"" - "value: \"cat /dev/null\"" # For the hostname, since we don't know that beforehand, # only check the field presence - "hostname: " #tags - "tags: \"filesystem\"" - "tags: \"process\"" - "tags: \"testing\"" detect_counts: detect: True detect_level: WARNING trace_file: traces-positive/falco-event-generator.scap detect_counts: - "Write below binary dir": 1 - "Read sensitive file untrusted": 3 - "Run shell untrusted": 1 - "Write below rpm database": 1 - "Write below etc": 1 - "System procs network activity": 1 - "Mkdir binary dirs": 1 - "System user interactive": 0 - "DB program spawned process": 1 - "Non sudo setuid": 1 - "Create files below dev": 1 - "Modify binary dirs": 2 - "Change thread namespace": 0 disabled_tags_a: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [a] detect_counts: - open_1: 0 - open_2: 1 - open_3: 1 - open_4: 0 - open_5: 0 - open_6: 1 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_b: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [b] detect_counts: - open_1: 1 - open_2: 0 - open_3: 1 - open_4: 0 - open_5: 1 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 1 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_c: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [c] detect_counts: - open_1: 1 - open_2: 1 - open_3: 0 - open_4: 1 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 1 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_ab: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [a, b] detect_counts: - open_1: 0 - open_2: 0 - open_3: 1 - open_4: 0 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 disabled_tags_abc: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap disable_tags: [a, b, c] detect_counts: - open_1: 0 - open_2: 0 - open_3: 0 - open_4: 0 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 1 - open_13: 1 run_tags_a: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [a] detect_counts: - open_1: 1 - open_2: 0 - open_3: 0 - open_4: 1 - open_5: 1 - open_6: 0 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_b: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [b] detect_counts: - open_1: 0 - open_2: 1 - open_3: 0 - open_4: 1 - open_5: 0 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 0 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_c: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [c] detect_counts: - open_1: 0 - open_2: 0 - open_3: 1 - open_4: 0 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 0 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_ab: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [a, b] detect_counts: - open_1: 1 - open_2: 1 - open_3: 0 - open_4: 1 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_bc: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [b, c] detect_counts: - open_1: 0 - open_2: 1 - open_3: 1 - open_4: 1 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_abc: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [a, b, c] detect_counts: - open_1: 1 - open_2: 1 - open_3: 1 - open_4: 1 - open_5: 1 - open_6: 1 - open_7: 1 - open_8: 1 - open_9: 1 - open_10: 1 - open_11: 0 - open_12: 0 - open_13: 0 run_tags_d: detect: True detect_level: WARNING rules_file: - rules/tagged_rules.yaml trace_file: trace_files/open-multiple-files.scap run_tags: [d] detect_counts: - open_1: 0 - open_2: 0 - open_3: 0 - open_4: 0 - open_5: 0 - open_6: 0 - open_7: 0 - open_8: 0 - open_9: 0 - open_10: 0 - open_11: 1 - open_12: 0 - open_13: 0 list_append: detect: True detect_level: WARNING rules_file: - rules/list_append.yaml trace_file: trace_files/cat_write.scap list_append_false: detect: False rules_file: - rules/list_append_false.yaml trace_file: trace_files/cat_write.scap macro_append: detect: True detect_level: WARNING rules_file: - rules/macro_append.yaml trace_file: trace_files/cat_write.scap macro_append_false: detect: False rules_file: - rules/macro_append_false.yaml trace_file: trace_files/cat_write.scap rule_append_skipped: detect: False priority: ERROR rules_file: - rules/single_rule.yaml - rules/append_single_rule.yaml trace_file: trace_files/cat_write.scap rule_append: detect: True detect_level: WARNING rules_file: - rules/rule_append.yaml trace_file: trace_files/cat_write.scap rule_append_false: detect: False rules_file: - rules/rule_append_false.yaml trace_file: trace_files/cat_write.scap json_output_no_output_property: json_output: True json_include_output_property: False detect: True detect_level: WARNING rules_file: - rules/rule_append.yaml trace_file: trace_files/cat_write.scap stdout_contains: "^(?!.*Warning An open of /dev/null was seen.*)" json_output_no_tags_property: json_output: True json_include_tags_property: False detect: True detect_level: WARNING rules_file: - rules/rule_append.yaml trace_file: trace_files/cat_write.scap stdout_contains: "^(?!.*\"tags\":[ ]*\\[.*\\],.*)" json_output_empty_tags_property: json_output: True detect: True detect_level: WARNING rules_file: - rules/rule_append.yaml trace_file: trace_files/cat_write.scap stdout_contains: "^(.*\"tags\":[ ]*\\[\\],.*)" in_operator_netmasks: detect: True detect_level: INFO rules_file: - rules/detect_connect_using_in.yaml trace_file: trace_files/connect_localhost.scap syscalls: detect: True detect_level: INFO rules_file: - rules/syscalls.yaml rules_warning: - detect_madvise detect_counts: - detect_madvise: 2 - detect_open: 2 trace_file: trace_files/syscall.scap all_events: True catchall_order: detect: True detect_level: INFO rules_file: - rules/catchall_order.yaml detect_counts: - open_dev_null: 1 dev_null: 6 trace_file: trace_files/cat_write.scap validate_skip_unknown_noevt: validate_warnings: - item_type: rule item_name: "Contains Unknown Event And Skipping" code: LOAD_UNKNOWN_FIELD message: "filter_check called with nonexistent field proc.nobody" validate_rules_file: - rules/skip_unknown_evt.yaml trace_file: trace_files/cat_write.scap detect_skip_unknown_noevt: detect: False rules_file: - rules/skip_unknown_evt.yaml trace_file: trace_files/cat_write.scap skip_unknown_prefix: detect: False rules_file: - rules/skip_unknown_prefix.yaml trace_file: trace_files/cat_write.scap skip_unknown_error: exit_status: 1 validate_errors: - item_type: rule item_name: "Contains Unknown Event And Not Skipping" code: LOAD_ERR_COMPILE_CONDITION message: "filter_check called with nonexistent field proc.nobody" validate_rules_file: - rules/skip_unknown_error.yaml trace_file: trace_files/cat_write.scap skip_unknown_unspec_error: exit_status: 1 validate_errors: - item_type: rule item_name: "Contains Unknown Event And Unspecified" code: LOAD_ERR_COMPILE_CONDITION message: "filter_check called with nonexistent field proc.nobody" validate_rules_file: - rules/skip_unknown_unspec.yaml trace_file: trace_files/cat_write.scap engine_version_mismatch: exit_status: 1 validate_errors: - item_type: required_engine_version item_name: "" code: LOAD_ERR_VALIDATE message_contains: "Rules require engine version 9999999, but engine version is" validate_rules_file: - rules/engine_version_mismatch.yaml trace_file: trace_files/cat_write.scap monitor_syscall_drops_none: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_none.yaml trace_file: trace_files/ping_sendto.scap stderr_not_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_ignore: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_ignore.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" stderr_not_contains: - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_ignore_and_log: exit_status: 1 rules_file: - rules/single_rule.yaml conf_file: confs/drops_ignore_log.yaml trace_file: trace_files/ping_sendto.scap stderr_not_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" stderr_contains: - "syscall event drop action \"log\" does not make sense with the \"ignore\" action" monitor_syscall_drops_threshold_oor: exit_status: 1 rules_file: - rules/single_rule.yaml conf_file: confs/drops_threshold_oor.yaml trace_file: trace_files/ping_sendto.scap stderr_not_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" stderr_contains: - "syscall event drops threshold must be a double in the range" monitor_syscall_drops_threshold_neg: exit_status: 1 rules_file: - rules/single_rule.yaml conf_file: confs/drops_threshold_neg.yaml trace_file: trace_files/ping_sendto.scap stderr_not_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" stderr_contains: - "syscall event drops threshold must be a double in the range" monitor_syscall_drops_log: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_log.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" - "Falco internal: syscall event drop" stdout_not_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_alert: exit_status: 0 rules_file: - rules/single_rule.yaml conf_file: confs/drops_alert.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 9 occurrences" - "num times actions taken: 9" stderr_not_contains: - "Falco internal: syscall event drop" stdout_contains: - "Falco internal: syscall event drop" monitor_syscall_drops_exit: exit_status: 1 rules_file: - rules/single_rule.yaml conf_file: confs/drops_exit.yaml trace_file: trace_files/ping_sendto.scap stderr_contains: - "event drop detected: 1 occurrences" - "num times actions taken: 1" - "Falco internal: syscall event drop" - "Exiting." stdout_not_contains: - "Falco internal: syscall event drop" time_iso_8601: time_iso_8601: true detect: True detect_level: WARNING rules_file: - rules/single_rule.yaml trace_file: trace_files/cat_write.scap stdout_contains: "2016-08-04T16:17:57.882054739\\+0000: Warning An open was seen" stderr_contains: "^\\d\\d\\d\\d-\\d\\d-\\d\\dT\\d\\d:\\d\\d:\\d\\d\\+0000"