mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
Add a test that specifically tests truncated outputs. A rule contains an output field %fd.cport which has no value for an open event. Ensure that the rule's output has <NA> for the cport and the remainder of the rule's output is filled in.
184 lines
5.1 KiB
YAML
184 lines
5.1 KiB
YAML
trace_files: !mux
|
|
builtin_rules_no_warnings:
|
|
detect: False
|
|
trace_file: trace_files/empty.scap
|
|
rules_warning: False
|
|
|
|
test_warnings:
|
|
detect: False
|
|
trace_file: trace_files/empty.scap
|
|
rules_file: rules/falco_rules_warnings.yaml
|
|
rules_warning:
|
|
- no_evttype
|
|
- evttype_not_equals
|
|
- leading_not
|
|
- not_equals_at_end
|
|
- not_at_end
|
|
- not_before_trailing_evttype
|
|
- not_equals_before_trailing_evttype
|
|
- not_equals_and_not
|
|
- not_equals_before_in
|
|
- not_before_in
|
|
- not_in_before_in
|
|
- leading_in_not_equals_before_evttype
|
|
- leading_in_not_equals_at_evttype
|
|
- not_with_evttypes
|
|
- not_with_evttypes_addl
|
|
- not_equals_before_evttype
|
|
- not_equals_before_in_evttype
|
|
- not_before_evttype
|
|
- not_before_evttype_using_in
|
|
rules_events:
|
|
- no_warnings: [execve]
|
|
- no_evttype: [all]
|
|
- evttype_not_equals: [all]
|
|
- leading_not: [all]
|
|
- not_equals_after_evttype: [execve]
|
|
- not_after_evttype: [execve]
|
|
- leading_trailing_evttypes: [execve,open]
|
|
- leading_multtrailing_evttypes: [connect,execve,open]
|
|
- leading_multtrailing_evttypes_using_in: [connect,execve,open]
|
|
- not_equals_at_end: [all]
|
|
- not_at_end: [all]
|
|
- not_before_trailing_evttype: [all]
|
|
- not_equals_before_trailing_evttype: [all]
|
|
- not_equals_and_not: [all]
|
|
- not_equals_before_in: [all]
|
|
- not_before_in: [all]
|
|
- not_in_before_in: [all]
|
|
- evttype_in: [execve,open]
|
|
- evttype_in_plus_trailing: [connect,execve,open]
|
|
- leading_in_not_equals_before_evttype: [all]
|
|
- leading_in_not_equals_at_evttype: [all]
|
|
- not_with_evttypes: [all]
|
|
- not_with_evttypes_addl: [all]
|
|
- not_equals_before_evttype: [all]
|
|
- not_equals_before_in_evttype: [all]
|
|
- not_before_evttype: [all]
|
|
- not_before_evttype_using_in: [all]
|
|
- repeated_evttypes: [open]
|
|
- repeated_evttypes_with_in: [open]
|
|
- repeated_evttypes_with_separate_in: [open]
|
|
- repeated_evttypes_with_mix: [open]
|
|
|
|
rule_names_with_spaces:
|
|
detect: True
|
|
detect_level: WARNING
|
|
rules_file:
|
|
- rules/rule_names_with_spaces.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
multiple_rules_first_empty:
|
|
detect: True
|
|
detect_level: WARNING
|
|
rules_file:
|
|
- rules/empty_rules.yaml
|
|
- rules/single_rule.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
multiple_rules_last_empty:
|
|
detect: True
|
|
detect_level: WARNING
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
- rules/empty_rules.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
multiple_rules:
|
|
detect: True
|
|
detect_level:
|
|
- WARNING
|
|
- INFO
|
|
- ERROR
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
- rules/double_rule.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
multiple_rules_overriding:
|
|
detect: False
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
- rules/override_rule.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
macro_overriding:
|
|
detect: False
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
- rules/override_macro.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
list_overriding:
|
|
detect: False
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
- rules/override_list.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
nested_list_overriding:
|
|
detect: False
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
- rules/override_nested_list.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
invalid_rule_output:
|
|
exit_status: 1
|
|
stderr_contains: "Runtime error: Error loading rules:.* Invalid output format 'An open was seen %not_a_real_field': 'invalid formatting token not_a_real_field'. Exiting."
|
|
rules_file:
|
|
- rules/invalid_rule_output.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
disabled_rules:
|
|
detect: False
|
|
rules_file:
|
|
- rules/empty_rules.yaml
|
|
- rules/single_rule.yaml
|
|
disabled_rules:
|
|
- open_from_cat
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
disabled_rules_using_regex:
|
|
detect: False
|
|
rules_file:
|
|
- rules/empty_rules.yaml
|
|
- rules/single_rule.yaml
|
|
disabled_rules:
|
|
- "open.*"
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
disabled_rules_using_enabled_flag:
|
|
detect: False
|
|
rules_file:
|
|
- rules/single_rule_enabled_flag.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
|
|
null_output_field:
|
|
detect: True
|
|
detect_level: WARNING
|
|
rules_file:
|
|
- rules/null_output_field.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
stdout_contains: "Warning An open was seen .cport=<NA> command=cat /dev/null."
|
|
|
|
file_output:
|
|
detect: True
|
|
detect_level: WARNING
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
conf_file: confs/file_output.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
outputs:
|
|
- /tmp/falco_outputs/file_output.txt: Warning An open was seen
|
|
|
|
program_output:
|
|
detect: True
|
|
detect_level: WARNING
|
|
rules_file:
|
|
- rules/single_rule.yaml
|
|
conf_file: confs/program_output.yaml
|
|
trace_file: trace_files/cat_write.scap
|
|
outputs:
|
|
- /tmp/falco_outputs/program_output.txt: Warning An open was seen
|