-
Notifications
You must be signed in to change notification settings - Fork 886
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update automated tests to handle new priority lvls
The default falco ruleset now has a wider variety of priorities, so adjust the automated tests to match: - Instead of creating a generic test yaml entry for every trace file in traces-{positive,negative,info} with assumptions about detect levels, add a new falco_traces.yaml.in multiplex file that has specific information about the detect priorities and rule detect counts for each trace file. - If a given trace file doesn't have a corresponding entry in falco_traces.yaml.in, a generic entry is added with a simple detect: (True|False) value and level. That way you can get specific detect levels/counts for existing trace files, but if you forget to add a trace to falco_traces.yaml.in, you'll still get some coverage. - falco_tests.yaml.in isn't added to any longer, so rename it to falco_tests.yaml. - Avocado is now run twice--once on each yaml file. The final test passes if both avocado runs pass.
- Loading branch information
Showing
3 changed files
with
234 additions
and
29 deletions.
There are no files selected for viewing
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
has_json_output: !mux | ||
yes: | ||
json_output: True | ||
no: | ||
json_output: False | ||
|
||
traces: !mux | ||
change-thread-namespace: | ||
trace_file: traces-positive/change-thread-namespace.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "Change thread namespace": 2 | ||
|
||
container-privileged: | ||
trace_file: traces-positive/container-privileged.scap | ||
detect: True | ||
detect_level: INFO | ||
detect_counts: | ||
- "File Open by Privileged Container": 19 | ||
|
||
container-sensitive-mount: | ||
trace_file: traces-positive/container-sensitive-mount.scap | ||
detect: True | ||
detect_level: INFO | ||
detect_counts: | ||
- "Sensitive Mount by Container": 19 | ||
|
||
create-files-below-dev: | ||
trace_file: traces-positive/create-files-below-dev.scap | ||
detect: True | ||
detect_level: ERROR | ||
detect_counts: | ||
- "Create files below dev": 1 | ||
|
||
db-program-spawned-process: | ||
trace_file: traces-positive/db-program-spawned-process.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "DB program spawned process": 1 | ||
|
||
falco-event-generator: | ||
trace_file: traces-positive/falco-event-generator.scap | ||
detect: True | ||
detect_level: [ERROR, WARNING, INFO, NOTICE] | ||
detect_counts: | ||
- "Write below binary dir": 1 | ||
- "Read sensitive file untrusted": 3 | ||
- "Run shell in container": 1 | ||
- "Write below rpm database": 1 | ||
- "Write below etc": 1 | ||
- "System procs network activity": 1 | ||
- "Mkdir binary dirs": 1 | ||
- "System user interactive": 1 | ||
- "DB program spawned process": 1 | ||
- "Non sudo setuid": 1 | ||
- "Create files below dev": 1 | ||
- "Modify binary dirs": 2 | ||
- "Change thread namespace": 2 | ||
|
||
installer-fbash-manages-service: | ||
trace_file: traces-info/installer-fbash-manages-service.scap | ||
detect: True | ||
detect_level: INFO | ||
detect_counts: | ||
- "Installer bash manages service": 4 | ||
|
||
installer-bash-non-https-connection: | ||
trace_file: traces-positive/installer-bash-non-https-connection.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "Installer bash non https connection": 1 | ||
|
||
installer-fbash-runs-pkgmgmt: | ||
trace_file: traces-info/installer-fbash-runs-pkgmgmt.scap | ||
detect: True | ||
detect_level: [NOTICE, INFO] | ||
detect_counts: | ||
- "Installer bash runs pkgmgmt program": 4 | ||
- "Installer bash non https connection": 4 | ||
|
||
installer-bash-starts-network-server: | ||
trace_file: traces-positive/installer-bash-starts-network-server.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "Installer bash starts network server": 2 | ||
- "Installer bash non https connection": 3 | ||
|
||
installer-bash-starts-session: | ||
trace_file: traces-positive/installer-bash-starts-session.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "Installer bash starts session": 1 | ||
- "Installer bash non https connection": 3 | ||
|
||
mkdir-binary-dirs: | ||
trace_file: traces-positive/mkdir-binary-dirs.scap | ||
detect: True | ||
detect_level: ERROR | ||
detect_counts: | ||
- "Mkdir binary dirs": 1 | ||
|
||
modify-binary-dirs: | ||
trace_file: traces-positive/modify-binary-dirs.scap | ||
detect: True | ||
detect_level: ERROR | ||
detect_counts: | ||
- "Modify binary dirs": 1 | ||
|
||
modify-package-repo-list-installer: | ||
trace_file: traces-info/modify-package-repo-list-installer.scap | ||
detect: True | ||
detect_level: INFO | ||
detect_counts: | ||
- "Write below etc in installer": 1 | ||
|
||
non-sudo-setuid: | ||
trace_file: traces-positive/non-sudo-setuid.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "Non sudo setuid": 1 | ||
|
||
read-sensitive-file-after-startup: | ||
trace_file: traces-positive/read-sensitive-file-after-startup.scap | ||
detect: True | ||
detect_level: WARNING | ||
detect_counts: | ||
- "Read sensitive file untrusted": 1 | ||
|
||
read-sensitive-file-untrusted: | ||
trace_file: traces-positive/read-sensitive-file-untrusted.scap | ||
detect: True | ||
detect_level: WARNING | ||
detect_counts: | ||
- "Read sensitive file untrusted": 1 | ||
|
||
run-shell-untrusted: | ||
trace_file: traces-positive/run-shell-untrusted.scap | ||
detect: True | ||
detect_level: DEBUG | ||
detect_counts: | ||
- "Run shell untrusted": 1 | ||
|
||
shell-in-container: | ||
trace_file: traces-positive/shell-in-container.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "Run shell in container": 1 | ||
|
||
system-binaries-network-activity: | ||
trace_file: traces-positive/system-binaries-network-activity.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "System procs network activity": 1 | ||
|
||
system-user-interactive: | ||
trace_file: traces-positive/system-user-interactive.scap | ||
detect: True | ||
detect_level: INFO | ||
detect_counts: | ||
- "System user interactive": 1 | ||
|
||
user-mgmt-binaries: | ||
trace_file: traces-positive/user-mgmt-binaries.scap | ||
detect: True | ||
detect_level: NOTICE | ||
detect_counts: | ||
- "User mgmt binaries": 1 | ||
|
||
write-binary-dir: | ||
trace_file: traces-positive/write-binary-dir.scap | ||
detect: True | ||
detect_level: ERROR | ||
detect_counts: | ||
- "Write below binary dir": 4 | ||
|
||
write-etc: | ||
trace_file: traces-positive/write-etc.scap | ||
detect: True | ||
detect_level: ERROR | ||
detect_counts: | ||
- "Write below etc": 1 | ||
|
||
write-etc-installer: | ||
trace_file: traces-info/write-etc-installer.scap | ||
detect: True | ||
detect_level: INFO | ||
detect_counts: | ||
- "Write below etc in installer": 1 | ||
|
||
write-rpm-database: | ||
trace_file: traces-positive/write-rpm-database.scap | ||
detect: True | ||
detect_level: ERROR | ||
detect_counts: | ||
- "Write below rpm database": 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters