falco/test/rules/list_append.yaml at e1293a7eca604ddec6ea30dcd97ecb15bac41df8 - falco - Gitea: Git with a cup of tea at home

github/falco

mirror of https://github.com/falcosecurity/falco.git synced 2026-04-26 10:33:02 +00:00

Files

Mark Stemm 0bc2d4f162 Automated tests for list append.

Test the case of appending to a list and appending to a nonexistent
list (should error).

2017-08-10 09:36:31 -07:00

12 lines

272 B

YAML

Raw Blame History

 - list: my_list
   items: [not-cat]
 - list: my_list
   append: true
   items: [cat]
 - rule: Open From Cat
   desc: A process named cat does an open
   condition: evt.type=open and proc.name in (my_list)
   output: "An open was seen (command=%proc.cmdline)"
   priority: WARNING