mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
eecc92736b
Add new unit tests to check that list substitution is working as expected, with test cases for the list substitution occurring at the beginning, middle, and end of a condition. Also add tests that verify that overrides on list/macro/rule names always occur in order.
11 lines
272 B
YAML
11 lines
272 B
YAML
- list: cat_binaries
|
|
items: [cat]
|
|
|
|
- macro: is_cat
|
|
condition: proc.name in (ls, cat_binaries)
|
|
|
|
- rule: open_from_cat
|
|
desc: A process named cat does an open
|
|
condition: evt.type=open and is_cat
|
|
output: "An open was seen (command=%proc.cmdline)"
|
|
priority: WARNING |