mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-26 10:33:02 +00:00
c140b23678
Add test that cover reading from multiple sets of rule files and
disabling rules. Specific changes:
- Modify falco to allow multiple -r arguments to read from multiple
files.
- In the test multiplex file, add a disabled_rules attribute,
containing a sequence of rules to disable. Result in -D arguments
when running falco.
- In the test multiplex file, 'rules_file' can be a sequence. It
results in multiple -r arguments when running falco.
- In the test multiplex file, 'detect_level' can be a squence of
multiple severity levels. All levels will be checked for in the
output.
- Move all test rules files to a rules subdirectory and all trace files
to a traces subdirectory.
- Add a small trace file for a simple cat of /dev/null. Used by the
new tests.
- Add the following new tests:
- Reading from multiple files, with the first file being
empty. Ensure that the rules from the second file are properly
loaded.
- Reading from multiple files with the last being empty. Ensures
that the empty file doesn't overwrite anything from the first
file.
- Reading from multiple files with varying severity levels for each
rule. Ensures that both files are properly read.
- Disabling rules from a rules file, both with full rule names
and regexes. Will result in not detecting anything.
13 lines
424 B
YAML
13 lines
424 B
YAML
# This ruleset depends on the is_cat macro defined in single_rule.yaml
|
|
|
|
- rule: exec_from_cat
|
|
desc: A process named cat does execve
|
|
condition: evt.type=execve and is_cat
|
|
output: "An exec was seen (command=%proc.cmdline)"
|
|
priority: ERROR
|
|
|
|
- rule: access_from_cat
|
|
desc: A process named cat does an access
|
|
condition: evt.type=access and is_cat
|
|
output: "An access was seen (command=%proc.cmdline)"
|
|
priority: INFO |