mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
c140b23678
Add test that cover reading from multiple sets of rule files and
disabling rules. Specific changes:
- Modify falco to allow multiple -r arguments to read from multiple
files.
- In the test multiplex file, add a disabled_rules attribute,
containing a sequence of rules to disable. Result in -D arguments
when running falco.
- In the test multiplex file, 'rules_file' can be a sequence. It
results in multiple -r arguments when running falco.
- In the test multiplex file, 'detect_level' can be a squence of
multiple severity levels. All levels will be checked for in the
output.
- Move all test rules files to a rules subdirectory and all trace files
to a traces subdirectory.
- Add a small trace file for a simple cat of /dev/null. Used by the
new tests.
- Add the following new tests:
- Reading from multiple files, with the first file being
empty. Ensure that the rules from the second file are properly
loaded.
- Reading from multiple files with the last being empty. Ensures
that the empty file doesn't overwrite anything from the first
file.
- Reading from multiple files with varying severity levels for each
rule. Ensures that both files are properly read.
- Disabling rules from a rules file, both with full rule names
and regexes. Will result in not detecting anything.
187 lines
5.3 KiB
YAML
187 lines
5.3 KiB
YAML
- rule: no_warnings
|
|
desc: Rule with no warnings
|
|
condition: evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: no_evttype
|
|
desc: No evttype at all
|
|
condition: proc.name=foo
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: evttype_not_equals
|
|
desc: Using != for event type
|
|
condition: evt.type!=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_not
|
|
desc: condition starts with not
|
|
condition: not evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_after_evttype
|
|
desc: != after evt.type, not affecting results
|
|
condition: evt.type=execve and proc.name!=foo
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_after_evttype
|
|
desc: not operator after evt.type, not affecting results
|
|
condition: evt.type=execve and not proc.name=foo
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_trailing_evttypes
|
|
desc: evttype at beginning and end
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_multtrailing_evttypes
|
|
desc: one evttype at beginning, multiple at end
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_multtrailing_evttypes_using_in
|
|
desc: one evttype at beginning, multiple at end, using in
|
|
condition: evt.type=execve and proc.name=foo or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_at_end
|
|
desc: not_equals at final evttype
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type!=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_at_end
|
|
desc: not operator for final evttype
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open or not evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_trailing_evttype
|
|
desc: a not before a trailing event type
|
|
condition: evt.type=execve and not proc.name=foo or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_trailing_evttype
|
|
desc: a != before a trailing event type
|
|
condition: evt.type=execve and proc.name!=foo or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_and_not
|
|
desc: both != and not before event types
|
|
condition: evt.type=execve and proc.name!=foo or evt.type=open or not evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_in
|
|
desc: != before an in with event types
|
|
condition: evt.type=execve and proc.name!=foo or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_in
|
|
desc: a not before an in with event types
|
|
condition: evt.type=execve and not proc.name=foo or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_in_before_in
|
|
desc: a not with in before an in with event types
|
|
condition: evt.type=execve and not proc.name in (foo, bar) or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: evttype_in
|
|
desc: using in for event types
|
|
condition: evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: evttype_in_plus_trailing
|
|
desc: using in for event types and a trailing evttype
|
|
condition: evt.type in (execve, open) and proc.name=foo or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_in_not_equals_before_evttype
|
|
desc: initial in() for event types, then a != before an additional event type
|
|
condition: evt.type in (execve, open) and proc.name!=foo or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_in_not_equals_at_evttype
|
|
desc: initial in() for event types, then a != with an additional event type
|
|
condition: evt.type in (execve, open) or evt.type!=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_with_evttypes
|
|
desc: not in for event types
|
|
condition: not evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_with_evttypes_addl
|
|
desc: not in for event types, and an additional event type
|
|
condition: not evt.type in (execve, open) or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_evttype
|
|
desc: != before any event type
|
|
condition: proc.name!=foo and evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_in_evttype
|
|
desc: != before any event type using in
|
|
condition: proc.name!=foo and evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_evttype
|
|
desc: not operator before any event type
|
|
condition: not proc.name=foo and evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_evttype_using_in
|
|
desc: not operator before any event type using in
|
|
condition: not proc.name=foo and evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes
|
|
desc: event types appearing multiple times
|
|
condition: evt.type=open or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes_with_in
|
|
desc: event types appearing multiple times with in
|
|
condition: evt.type in (open, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes_with_separate_in
|
|
desc: event types appearing multiple times with separate ins
|
|
condition: evt.type in (open) or evt.type in (open, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes_with_mix
|
|
desc: event types appearing multiple times with mix of = and in
|
|
condition: evt.type=open or evt.type in (open, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|