Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update(tests/falco): cover new skip-if-unknown-filter semantics #22

Merged
merged 1 commit into from
Aug 31, 2023
Merged

update(tests/falco): cover new skip-if-unknown-filter semantics #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 37 additions & 3 deletions tests/data/rules/falco.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1163,24 +1163,58 @@ var SingleRuleWithTags = run.NewStringFileAccessor(
var SkipUnknownError = run.NewStringFileAccessor(
"skip_unknown_error.yaml",
`
- rule: Contains Unknown Event And Not Skipping
- rule: Contains Unknown Event And Not Skipping (field)
desc: Contains an unknown event
condition: proc.nobody=cat
condition: evt.type=open and proc.nobody=cat
output: Never
skip-if-unknown-filter: false
priority: INFO
- rule: Contains Unknown Event And Not Skipping (evt type)
desc: Contains an unknown event
condition: evt.type=some_invalid_event
output: Never
skip-if-unknown-filter: false
priority: INFO
- rule: Contains Unknown Event And Not Skipping (output)
desc: Contains an unknown event
condition: evt.type=open
output: proc.nobody=%proc.nobody
skip-if-unknown-filter: false
priority: INFO
`,
)

var SkipUnknownEvt = run.NewStringFileAccessor(
"skip_unknown_evt.yaml",
`
- rule: Contains Unknown Event And Skipping
- rule: Contains Unknown Event And Skipping (field)
desc: Contains an unknown event
condition: evt.type=open and proc.nobody=cat
output: Never
skip-if-unknown-filter: true
priority: INFO
- rule: Contains Unknown Event And Skipping (evt type)
desc: Contains an unknown event
condition: evt.type=some_invalid_event
output: Never
skip-if-unknown-filter: true
priority: INFO
- rule: Contains Unknown Event And Skipping (output)
desc: Contains an unknown event
condition: evt.type=open
output: proc.nobody=%proc.nobody
skip-if-unknown-filter: true
priority: INFO
- rule: Legit Rule (output)
desc: A legit rule
condition: evt.type=open
output: Never
priority: INFO
`,
)

Expand Down
24 changes: 18 additions & 6 deletions tests/falco/legacy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,9 +272,12 @@ func TestFalco_Legacy_DetectSkipUnknownNoevt(t *testing.T) {
checkDefaultConfig(t)
res := falco.Test(
tests.NewFalcoExecutableRunner(t),
falco.WithOutputJSON(),
falco.WithRules(rules.SkipUnknownEvt),
falco.WithCaptureFile(captures.CatWrite),
)
assert.Equal(t, 8, res.Detections().Count())
assert.NotZero(t, res.Detections().OfPriority("INFO").Count())
assert.NoError(t, res.Err(), "%s", res.Stderr())
assert.Equal(t, 0, res.ExitCode())
}
Expand Down Expand Up @@ -317,10 +320,11 @@ func TestFalco_Legacy_SkipUnknownError(t *testing.T) {
falco.WithOutputJSON(),
falco.WithRulesValidation(rules.SkipUnknownError),
)
assert.Equal(t, 1, res.RuleValidation().AllErrors().Count())
assert.NotNil(t, res.RuleValidation().AllErrors().
OfCode("LOAD_ERR_COMPILE_CONDITION").
OfItemType("rule").
OfItemName("Contains Unknown Event And Not Skipping").
OfItemName("Contains Unknown Event And Not Skipping (field)").
OfMessage("filter_check called with nonexistent field proc.nobody"))
assert.Error(t, res.Err(), "%s", res.Stderr())
assert.Equal(t, 1, res.ExitCode())
Expand Down Expand Up @@ -1657,11 +1661,19 @@ func TestFalco_Legacy_ValidateSkipUnknownNoevt(t *testing.T) {
falco.WithOutputJSON(),
falco.WithRulesValidation(rules.SkipUnknownEvt),
)
assert.NotNil(t, res.RuleValidation().AllWarnings().
OfCode("LOAD_UNKNOWN_FIELD").
OfItemType("rule").
OfItemName("Contains Unknown Event And Skipping").
OfMessage("filter_check called with nonexistent field proc.nobody"))
assert.Equal(t, 3, res.RuleValidation().AllWarnings().Count())
ruleWarnings := res.RuleValidation().AllWarnings().
OfCode("LOAD_UNKNOWN_FILTER").
OfItemType("rule")
assert.NotNil(t, ruleWarnings.
OfItemName("Contains Unknown Event And Skipping (field)").
OfMessage("filter_check called with nonexistent field proc.nobody"), res.Stderr())
assert.NotNil(t, ruleWarnings.
OfItemName("Contains Unknown Event And Skipping (evt type)").
OfMessage("unknown event type some_invalid_event"), res.Stderr())
assert.NotNil(t, ruleWarnings.
OfItemName("Contains Unknown Event And Skipping (output)").
OfMessage("invalid formatting token proc.nobody"), res.Stderr())
assert.NoError(t, res.Err(), "%s", res.Stderr())
assert.Equal(t, 0, res.ExitCode())
}
Expand Down
Loading