@@ -1222,3 +1222,66 @@ TEST_F(test_falco_engine, exceptions_fields_transformer_space_quoted) {
12221222 EXPECT_EQ (get_compiled_rule_condition (" test_rule"
12231223 " (evt.type = open and not tolower(proc.name) = test)"
12241224}
1225+
1226+ TEST_F (test_falco_engine, redefine_rule_different_source) {
1227+ auto rules_content = R"END(
1228+ - rule: LD_PRELOAD trick
1229+ desc: Some desc
1230+ condition: ka.verb = GET
1231+ output: some output
1232+ priority: INFO
1233+ source: k8s_audit
1234+
1235+ - rule: LD_PRELOAD trick
1236+ desc: Some desc
1237+ condition: and 1 = 2
1238+ output: Some output
1239+ priority: INFO
1240+ source: syscall
1241+ )END"
1242+
1243+ ASSERT_FALSE (load_rules (rules_content, " rules.yaml"
1244+ ASSERT_TRUE (check_error_message (" Rule has been re-defined with a different source"
1245+ }
1246+
1247+ TEST_F (test_falco_engine, append_across_sources) {
1248+ auto rules_content = R"END(
1249+ - rule: LD_PRELOAD trick
1250+ desc: Some desc
1251+ condition: ka.verb = GET
1252+ output: some output
1253+ priority: INFO
1254+ source: k8s_audit
1255+
1256+ - rule: LD_PRELOAD trick
1257+ desc: Some desc
1258+ condition: and 1 = 2
1259+ output: Some output
1260+ priority: INFO
1261+ source: syscall
1262+ append: true
1263+ )END"
1264+
1265+ ASSERT_FALSE (load_rules (rules_content, " rules.yaml"
1266+ ASSERT_TRUE (check_error_message (" Rule has been re-defined with a different source"
1267+ }
1268+
1269+ TEST_F (test_falco_engine, selective_replace_across_sources) {
1270+ auto rules_content = R"END(
1271+ - rule: LD_PRELOAD trick
1272+ desc: Some desc
1273+ condition: ka.verb = GET
1274+ output: some output
1275+ priority: INFO
1276+ source: k8s_audit
1277+
1278+ - rule: LD_PRELOAD trick
1279+ condition: 1 = 2
1280+ override:
1281+ condition: replace
1282+ source: syscall
1283+ )END"
1284+
1285+ ASSERT_FALSE (load_rules (rules_content, " rules.yaml"
1286+ ASSERT_TRUE (check_error_message (" Rule has been re-defined with a different source"
1287+ }
0 commit comments