Add test for preserving rule order

Test the fix for #354. A rules file has a event-specific rule first and a catchall rule second. Without the changes in draios/sysdig#1103, the first rule does not match the event.
falcosecurity · Apr 19, 2018 · 65cd607 · 65cd607
1 parent 6398687
commit 65cd607
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
@@ -699,3 +699,13 @@ trace_files: !mux
       - detect_madvise: 2
       - detect_open: 2
     trace_file: trace_files/syscall.scap
+
+  catchall_order:
+    detect: True
+    detect_level: INFO
+    rules_file:
+      - rules/catchall_order.yaml
+    detect_counts:
+      - open_dev_null: 1
+        dev_null: 0
+    trace_file: trace_files/cat_write.scap
diff --git a/test/rules/catchall_order.yaml b/test/rules/catchall_order.yaml
@@ -0,0 +1,12 @@
+- rule: open_dev_null
+  desc: Any open of the file /dev/null
+  condition: evt.type=open and fd.name=/dev/null
+  output: An open of /dev/null was seen (command=%proc.cmdline evt=%evt.type %evt.args)
+  priority: INFO
+
+- rule: dev_null
+  desc: Anything related to /dev/null
+  condition: fd.name=/dev/null
+  output: Something related to /dev/null was seen (command=%proc.cmdline evt=%evt.type %evt.args)
+  priority: INFO
+  warn_evttypes: false