mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
5bafa198c6
The default falco ruleset now has a wider variety of priorities, so
adjust the automated tests to match:
- Instead of creating a generic test yaml entry for every trace file in
traces-{positive,negative,info} with assumptions about detect levels,
add a new falco_traces.yaml.in multiplex file that has specific
information about the detect priorities and rule detect counts for each
trace file.
- If a given trace file doesn't have a corresponding entry in
falco_traces.yaml.in, a generic entry is added with a simple
detect: (True|False) value and level. That way you can get specific
detect levels/counts for existing trace files, but if you forget to
add a trace to falco_traces.yaml.in, you'll still get some coverage.
- falco_tests.yaml.in isn't added to any longer, so rename it to
falco_tests.yaml.
- Avocado is now run twice--once on each yaml file. The final test
passes if both avocado runs pass.
204 lines
5.5 KiB
YAML
204 lines
5.5 KiB
YAML
has_json_output: !mux
|
|
yes:
|
|
json_output: True
|
|
no:
|
|
json_output: False
|
|
|
|
traces: !mux
|
|
change-thread-namespace:
|
|
trace_file: traces-positive/change-thread-namespace.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Change thread namespace": 2
|
|
|
|
container-privileged:
|
|
trace_file: traces-positive/container-privileged.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "File Open by Privileged Container": 19
|
|
|
|
container-sensitive-mount:
|
|
trace_file: traces-positive/container-sensitive-mount.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "Sensitive Mount by Container": 19
|
|
|
|
create-files-below-dev:
|
|
trace_file: traces-positive/create-files-below-dev.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Create files below dev": 1
|
|
|
|
db-program-spawned-process:
|
|
trace_file: traces-positive/db-program-spawned-process.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "DB program spawned process": 1
|
|
|
|
falco-event-generator:
|
|
trace_file: traces-positive/falco-event-generator.scap
|
|
detect: True
|
|
detect_level: [ERROR, WARNING, INFO, NOTICE]
|
|
detect_counts:
|
|
- "Write below binary dir": 1
|
|
- "Read sensitive file untrusted": 3
|
|
- "Run shell in container": 1
|
|
- "Write below rpm database": 1
|
|
- "Write below etc": 1
|
|
- "System procs network activity": 1
|
|
- "Mkdir binary dirs": 1
|
|
- "System user interactive": 1
|
|
- "DB program spawned process": 1
|
|
- "Non sudo setuid": 1
|
|
- "Create files below dev": 1
|
|
- "Modify binary dirs": 2
|
|
- "Change thread namespace": 2
|
|
|
|
installer-fbash-manages-service:
|
|
trace_file: traces-info/installer-fbash-manages-service.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "Installer bash manages service": 4
|
|
|
|
installer-bash-non-https-connection:
|
|
trace_file: traces-positive/installer-bash-non-https-connection.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Installer bash non https connection": 1
|
|
|
|
installer-fbash-runs-pkgmgmt:
|
|
trace_file: traces-info/installer-fbash-runs-pkgmgmt.scap
|
|
detect: True
|
|
detect_level: [NOTICE, INFO]
|
|
detect_counts:
|
|
- "Installer bash runs pkgmgmt program": 4
|
|
- "Installer bash non https connection": 4
|
|
|
|
installer-bash-starts-network-server:
|
|
trace_file: traces-positive/installer-bash-starts-network-server.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Installer bash starts network server": 2
|
|
- "Installer bash non https connection": 3
|
|
|
|
installer-bash-starts-session:
|
|
trace_file: traces-positive/installer-bash-starts-session.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Installer bash starts session": 1
|
|
- "Installer bash non https connection": 3
|
|
|
|
mkdir-binary-dirs:
|
|
trace_file: traces-positive/mkdir-binary-dirs.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Mkdir binary dirs": 1
|
|
|
|
modify-binary-dirs:
|
|
trace_file: traces-positive/modify-binary-dirs.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Modify binary dirs": 1
|
|
|
|
modify-package-repo-list-installer:
|
|
trace_file: traces-info/modify-package-repo-list-installer.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "Write below etc in installer": 1
|
|
|
|
non-sudo-setuid:
|
|
trace_file: traces-positive/non-sudo-setuid.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Non sudo setuid": 1
|
|
|
|
read-sensitive-file-after-startup:
|
|
trace_file: traces-positive/read-sensitive-file-after-startup.scap
|
|
detect: True
|
|
detect_level: WARNING
|
|
detect_counts:
|
|
- "Read sensitive file untrusted": 1
|
|
|
|
read-sensitive-file-untrusted:
|
|
trace_file: traces-positive/read-sensitive-file-untrusted.scap
|
|
detect: True
|
|
detect_level: WARNING
|
|
detect_counts:
|
|
- "Read sensitive file untrusted": 1
|
|
|
|
run-shell-untrusted:
|
|
trace_file: traces-positive/run-shell-untrusted.scap
|
|
detect: True
|
|
detect_level: DEBUG
|
|
detect_counts:
|
|
- "Run shell untrusted": 1
|
|
|
|
shell-in-container:
|
|
trace_file: traces-positive/shell-in-container.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "Run shell in container": 1
|
|
|
|
system-binaries-network-activity:
|
|
trace_file: traces-positive/system-binaries-network-activity.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "System procs network activity": 1
|
|
|
|
system-user-interactive:
|
|
trace_file: traces-positive/system-user-interactive.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "System user interactive": 1
|
|
|
|
user-mgmt-binaries:
|
|
trace_file: traces-positive/user-mgmt-binaries.scap
|
|
detect: True
|
|
detect_level: NOTICE
|
|
detect_counts:
|
|
- "User mgmt binaries": 1
|
|
|
|
write-binary-dir:
|
|
trace_file: traces-positive/write-binary-dir.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Write below binary dir": 4
|
|
|
|
write-etc:
|
|
trace_file: traces-positive/write-etc.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Write below etc": 1
|
|
|
|
write-etc-installer:
|
|
trace_file: traces-info/write-etc-installer.scap
|
|
detect: True
|
|
detect_level: INFO
|
|
detect_counts:
|
|
- "Write below etc in installer": 1
|
|
|
|
write-rpm-database:
|
|
trace_file: traces-positive/write-rpm-database.scap
|
|
detect: True
|
|
detect_level: ERROR
|
|
detect_counts:
|
|
- "Write below rpm database": 1
|