mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
a38f7f181b
Add the ability to append to rules/macros, like we already do with lists. For rules/macros, if the object has an append: true key, the condition value is appended to the condition of an existing rule/macro with the same name. Like lists, it's an error to specify append: true without there being an existing rule/macro. Also add tests that test the same kind of things we did for lists: - That append: true really does append - That append: false overwrites the rule/macro - That it's an error to append with a prior rule/macro existing.
12 lines
289 B
YAML
12 lines
289 B
YAML
- macro: my_macro
|
|
condition: proc.name=not-cat
|
|
|
|
- macro: my_macro
|
|
append: true
|
|
condition: or proc.name=cat
|
|
|
|
- rule: Open From Cat
|
|
desc: A process named cat does an open
|
|
condition: evt.type=open and my_macro
|
|
output: "An open was seen (command=%proc.cmdline)"
|
|
priority: WARNING |