mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-08 20:23:32 +00:00
88 lines
2.9 KiB
C++
88 lines
2.9 KiB
C++
#include "test_falco_engine.h"
|
|
|
|
test_falco_engine::test_falco_engine() {
|
|
// create a falco engine ready to load the ruleset
|
|
m_filter_factory = std::make_shared<sinsp_filter_factory>(&m_inspector, m_filterlist);
|
|
m_formatter_factory = std::make_shared<sinsp_evt_formatter_factory>(&m_inspector, m_filterlist);
|
|
m_engine = std::make_shared<falco_engine>();
|
|
m_engine->add_source(m_sample_source, m_filter_factory, m_formatter_factory);
|
|
}
|
|
|
|
bool test_falco_engine::load_rules(const std::string& rules_content,
|
|
const std::string& rules_filename) {
|
|
bool ret = false;
|
|
falco::load_result::rules_contents_t rc = {{rules_filename, rules_content}};
|
|
m_load_result = m_engine->load_rules(rules_content, rules_filename);
|
|
m_load_result_string = m_load_result->as_string(true, rc);
|
|
m_load_result_json = m_load_result->as_json(rc);
|
|
ret = m_load_result->successful();
|
|
|
|
if(ret) {
|
|
m_engine->enable_rule("", true, m_sample_ruleset);
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
// This must be kept in line with the (private) falco_engine::s_default_ruleset
|
|
uint64_t test_falco_engine::num_rules_for_ruleset(const std::string& ruleset) {
|
|
return m_engine->num_rules_for_ruleset(ruleset);
|
|
}
|
|
|
|
bool test_falco_engine::has_warnings() const {
|
|
return m_load_result->has_warnings();
|
|
}
|
|
|
|
bool test_falco_engine::check_warning_message(const std::string& warning_msg) const {
|
|
if(!m_load_result->has_warnings()) {
|
|
return false;
|
|
}
|
|
|
|
for(const auto& warn : m_load_result_json["warnings"]) {
|
|
std::string msg = warn["message"];
|
|
// Debug:
|
|
// printf("msg: %s\n", msg.c_str());
|
|
if(msg.find(warning_msg) != std::string::npos) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
bool test_falco_engine::check_error_message(const std::string& error_msg) const {
|
|
// if the loading is successful there are no errors
|
|
if(m_load_result->successful()) {
|
|
return false;
|
|
}
|
|
|
|
for(const auto& err : m_load_result_json["errors"]) {
|
|
std::string msg = err["message"];
|
|
// Debug:
|
|
// printf("msg: %s\n", msg.c_str());
|
|
if(msg.find(error_msg) != std::string::npos) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
std::string test_falco_engine::get_compiled_rule_condition(std::string rule_name) const {
|
|
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
|
return rule_description["rules"][0]["details"]["condition_compiled"]
|
|
.template get<std::string>();
|
|
}
|
|
|
|
std::string test_falco_engine::get_compiled_rule_output(std::string rule_name) const {
|
|
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
|
return rule_description["rules"][0]["details"]["output_compiled"].template get<std::string>();
|
|
}
|
|
|
|
std::unordered_map<std::string, std::string> test_falco_engine::get_compiled_rule_formatted_fields(
|
|
std::string rule_name) const {
|
|
auto rule_description = m_engine->describe_rule(&rule_name, {});
|
|
return rule_description["rules"][0]["details"]["extra_output_formatted_fields"]
|
|
.template get<std::unordered_map<std::string, std::string>>();
|
|
}
|