mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
8b116c2ad1
Add the ability to check falco's return code with exit_status and to generally match stderr with stderr_contains in a test. Use those to create a test that has an invalid output expression using %not_a_real_field. It expects falco to exit with 1 and the output to contain a message about the invalid output.
5 lines
170 B
YAML
5 lines
170 B
YAML
- rule: rule_with_invalid_output
|
|
desc: A rule with an invalid output field
|
|
condition: evt.type=open
|
|
output: "An open was seen %not_a_real_field"
|
|
priority: WARNING |