mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
f4bb49f1f5
Add a test that specifically tests truncated outputs. A rule contains an output field %fd.cport which has no value for an open event. Ensure that the rule's output has <NA> for the cport and the remainder of the rule's output is filled in.
5 lines
196 B
YAML
5 lines
196 B
YAML
- rule: open_from_cat
|
|
desc: A process named cat does an open
|
|
condition: evt.type=open and proc.name=cat
|
|
output: "An open was seen (cport=%fd.cport command=%proc.cmdline)"
|
|
priority: WARNING |