falco/test/falco_tests_plugins.yaml

#
# Copyright (C) 2021 The Falco Authors.
#
# This file is part of Falco.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

trace_files: !mux

  list_plugins:
    check_detection_counts: False
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
    addl_cmdline_opts: --list-plugins
    stdout_contains: "2 Plugins Loaded.*Name: cloudtrail.*Name: json.*"

  list_plugin_fields:
    check_detection_counts: False
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
    addl_cmdline_opts: --list
    stdout_contains: "ct.id"

  detect_create_instance:
    enable_source: aws_cloudtrail
    detect: True
    detect_level: INFO
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml
    detect_counts:
      - 'Cloudtrail Create Instance': 1
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml

  detect_create_instance_bigevent:
    enable_source: aws_cloudtrail
    detect: True
    detect_level: INFO
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml
    detect_counts:
      - 'Cloudtrail Create Instance': 1
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances_bigevent.yaml

  incompatible_extract_sources:
    exit_status: 1
    stderr_contains: "Plugin '.*' has field extraction capability but is not compatible with any known event source"
    conf_file: BUILD_DIR/test/confs/plugins/incompatible_extract_sources.yaml
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml

  overlap_extract_sources:
    exit_status: 1
    stderr_contains: "Plugin '.*' supports extraction of field 'test.field' that is overlapping for source 'test_source'"
    conf_file: BUILD_DIR/test/confs/plugins/overlap_extract_sources.yaml
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml

  incompat_plugin_api:
    exit_status: 1
    stderr_contains: "plugin required API version '10000000.0.0' not compatible with the framework's API version '.*'"
    conf_file: BUILD_DIR/test/confs/plugins/incompatible_plugin_api.yaml
    rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml

  incompat_plugin_rules_version:
    exit_status: 1
    stderr_contains: "Plugin 'cloudtrail' version '.*' is not compatible with required plugin version '100000.0.0'"
    conf_file: BUILD_DIR/test/confs/plugins/cloudtrail_json_create_instances.yaml
    rules_file:
      - rules/plugins/cloudtrail_incompat_plugin_version.yaml

  wrong_plugin_path:
    exit_status: 1
    stderr_contains: "cannot load plugin.*No such file or directory"
    conf_file: BUILD_DIR/test/confs/plugins/wrong_plugin_path.yaml
    rules_file:
      - rules/plugins/cloudtrail_incompat_plugin_version.yaml

  no_plugins_unknown_source:
    exit_status: 0
    validate_warnings:
      - item_type: rule
        item_name: Cloudtrail Create Instance
        code: LOAD_UNKNOWN_SOURCE
        message: "Unknown source aws_cloudtrail, skipping"
    validate_rules_file:
      - rules/plugins/cloudtrail_create_instances.yaml

  no_plugins_unknown_source_rule_exception:
    exit_status: 0
    validate_warnings:
      - item_type: rule
        item_name: Cloudtrail Create Instance
        code: LOAD_UNKNOWN_SOURCE
        message: "Unknown source aws_cloudtrail, skipping"
    validate_rules_file:
      - rules/plugins/cloudtrail_create_instances_exceptions.yaml