mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
9ecdf30314
New tests that test every possible override: - Overriding a rule with one that doesn't match - Overriding a macro to one that doesn't match - Overriding a top level list to a binary that doesn't match - Overriding an embedded list to one that doesn't match In each case, the override results in no longer matching an open by the program "cat".
5 lines
184 B
YAML
5 lines
184 B
YAML
- rule: open_from_cat
|
|
desc: A process named cat does an open
|
|
condition: evt.type=open and proc.name=not-cat
|
|
output: "An open was seen (command=%proc.cmdline)"
|
|
priority: WARNING |