RubyGems - tcell_agent - Versions diffs - 0.2.29 → 0.4.0 - Mend

tcell_agent 0.2.29 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (100) hide show

checksums.yaml +4 -4
data/Readme.txt +7 -0
data/bin/tcell_agent +9 -0
data/lib/tcell_agent/agent/policy_manager.rb +3 -0
data/lib/tcell_agent/agent/policy_types.rb +4 -1
data/lib/tcell_agent/appsensor/injections_matcher.rb +20 -0
data/lib/tcell_agent/appsensor/injections_reporter.rb +15 -56
data/lib/tcell_agent/appsensor/meta_data.rb +56 -2
data/lib/tcell_agent/appsensor/rules/baserules.json +371 -138
data/lib/tcell_agent/cmdi.rb +113 -0
data/lib/tcell_agent/config/unknown_options.rb +2 -0
data/lib/tcell_agent/configuration.rb +30 -16
data/lib/tcell_agent/hooks/login_fraud.rb +79 -0
data/lib/tcell_agent/instrumentation.rb +6 -11
data/lib/tcell_agent/patches/meta_data.rb +14 -11
data/lib/tcell_agent/policies/appsensor/injection_sensor.rb +5 -9
data/lib/tcell_agent/policies/appsensor_policy.rb +22 -206
data/lib/tcell_agent/policies/clickjacking_policy.rb +4 -2
data/lib/tcell_agent/policies/command_injection_policy.rb +196 -0
data/lib/tcell_agent/policies/content_security_policy.rb +3 -2
data/lib/tcell_agent/policies/dataloss_policy.rb +3 -1
data/lib/tcell_agent/policies/honeytokens_policy.rb +3 -1
data/lib/tcell_agent/policies/http_redirect_policy.rb +51 -37
data/lib/tcell_agent/policies/http_tx_policy.rb +5 -1
data/lib/tcell_agent/policies/login_fraud_policy.rb +6 -1
data/lib/tcell_agent/policies/patches_policy.rb +3 -1
data/lib/tcell_agent/policies/policy.rb +10 -0
data/lib/tcell_agent/policies/secure_headers_policy.rb +5 -2
data/lib/tcell_agent/rails/auth/devise.rb +12 -23
data/lib/tcell_agent/rails/csrf_exception.rb +1 -1
data/lib/tcell_agent/rails/dlp.rb +50 -54
data/lib/tcell_agent/rails/middleware/body_filter_middleware.rb +0 -1
data/lib/tcell_agent/rails/middleware/context_middleware.rb +0 -1
data/lib/tcell_agent/rails/middleware/global_middleware.rb +0 -1
data/lib/tcell_agent/rails/middleware/headers_middleware.rb +7 -10
data/lib/tcell_agent/rails/on_start.rb +0 -1
data/lib/tcell_agent/rails/tcell_body_proxy.rb +4 -4
data/lib/tcell_agent/rails.rb +0 -2
data/lib/tcell_agent/rust/libtcellagent-0.6.1.dylib +0 -0
data/lib/tcell_agent/rust/libtcellagent-0.6.1.so +0 -0
data/lib/tcell_agent/rust/models.rb +61 -0
data/lib/tcell_agent/rust/tcellagent-0.6.1.dll +0 -0
data/lib/tcell_agent/rust/whisperer.rb +112 -0
data/lib/tcell_agent/sensor_events/appsensor_event.rb +25 -21
data/lib/tcell_agent/sensor_events/appsensor_meta_event.rb +31 -24
data/lib/tcell_agent/sensor_events/command_injection.rb +58 -0
data/lib/tcell_agent/sensor_events/discovery.rb +1 -1
data/lib/tcell_agent/sensor_events/login_fraud.rb +3 -13
data/lib/tcell_agent/sensor_events/sensor.rb +81 -77
data/lib/tcell_agent/sensor_events/util/sanitizer_utilities.rb +8 -0
data/lib/tcell_agent/start_background_thread.rb +12 -3
data/lib/tcell_agent/utils/io.rb +4 -1
data/lib/tcell_agent/utils/params.rb +1 -0
data/lib/tcell_agent/version.rb +1 -1
data/lib/tcell_agent.rb +0 -1
data/spec/lib/tcell_agent/appsensor/injections_matcher_spec.rb +27 -9
data/spec/lib/tcell_agent/appsensor/injections_reporter_spec.rb +143 -193
data/spec/lib/tcell_agent/appsensor/meta_data_spec.rb +67 -0
data/spec/lib/tcell_agent/appsensor/rules/appsensor_rule_manager_spec.rb +0 -10
data/spec/lib/tcell_agent/cmdi_spec.rb +748 -0
data/spec/lib/tcell_agent/config/unknown_options_spec.rb +8 -0
data/spec/lib/tcell_agent/configuration_spec.rb +138 -6
data/spec/lib/tcell_agent/hooks/login_fraud_spec.rb +357 -0
data/spec/lib/tcell_agent/patches/block_rule_spec.rb +70 -87
data/spec/lib/tcell_agent/patches_spec.rb +9 -4
data/spec/lib/tcell_agent/policies/appsensor/xss_sensor_spec.rb +186 -9
data/spec/lib/tcell_agent/policies/appsensor_policy_spec.rb +309 -484
data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb +736 -0
data/spec/lib/tcell_agent/policies/http_redirect_policy_spec.rb +222 -41
data/spec/lib/tcell_agent/policies/patches_policy_spec.rb +56 -32
data/spec/lib/tcell_agent/rails/middleware/appsensor_middleware_spec.rb +161 -85
data/spec/lib/tcell_agent/rails/middleware/tcell_body_proxy_spec.rb +40 -72
data/spec/lib/tcell_agent/rust/whisperer_spec.rb +267 -0
data/spec/lib/tcell_agent/sensor_events/appsensor_meta_event_spec.rb +20 -15
data/spec/spec_helper.rb +0 -9
data/tcell_agent.gemspec +8 -3
metadata +40 -39
data/lib/tcell_agent/appsensor/sensor.rb +0 -52
data/lib/tcell_agent/policies/appsensor/database_sensor.rb +0 -56
data/lib/tcell_agent/policies/appsensor/misc_sensor.rb +0 -59
data/lib/tcell_agent/policies/appsensor/payloads_policy.rb +0 -150
data/lib/tcell_agent/policies/appsensor/request_size_sensor.rb +0 -25
data/lib/tcell_agent/policies/appsensor/response_codes_sensor.rb +0 -73
data/lib/tcell_agent/policies/appsensor/response_size_sensor.rb +0 -25
data/lib/tcell_agent/policies/appsensor/size_sensor.rb +0 -71
data/lib/tcell_agent/policies/appsensor/user_agent_sensor.rb +0 -47
data/lib/tcell_agent/rails/auth/hooks.rb +0 -79
data/lib/tcell_agent/sensor_events/util/redirect_utils.rb +0 -22
data/spec/lib/tcell_agent/policies/appsensor/database_sensor_spec.rb +0 -165
data/spec/lib/tcell_agent/policies/appsensor/misc_sensor_spec.rb +0 -429
data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_apply_spec.rb +0 -466
data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_from_json_spec.rb +0 -890
data/spec/lib/tcell_agent/policies/appsensor/payloads_policy_log_spec.rb +0 -417
data/spec/lib/tcell_agent/policies/appsensor/request_size_sensor_spec.rb +0 -236
data/spec/lib/tcell_agent/policies/appsensor/response_codes_sensor_spec.rb +0 -297
data/spec/lib/tcell_agent/policies/appsensor/response_size_sensor_spec.rb +0 -241
data/spec/lib/tcell_agent/policies/appsensor/user_agent_sensor_spec.rb +0 -172
data/spec/lib/tcell_agent/rails/auth/hooks_spec.rb +0 -246
data/spec/lib/tcell_agent/sensor_events/util/redirect_utils_spec.rb +0 -25
data/spec/support/resources/baserules.json +0 -155

data/spec/lib/tcell_agent/policies/command_injection_policy_spec.rb ADDED Viewed

@@ -0,0 +1,736 @@
+require 'spec_helper'
+module TCellAgent
+  module Policies
+    describe CommandInjectionPolicy do
+      describe "#from_json" do
+        context "with a nil policy" do
+          it "should return nil" do
+            expect(CommandInjectionPolicy.from_json(nil)).to be_nil
+          end
+        end
+        context "with an empty policy" do
+          it "should raise a policy missing error" do
+            expect {
+              CommandInjectionPolicy.from_json({})
+            }.to raise_error(RuntimeError)
+          end
+        end
+        context "with an empty version" do
+          it "should have empty version" do
+            cmdi = CommandInjectionPolicy.from_json({ "policy_id" => "policy_id" })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to be_nil
+            expect(cmdi.enabled).to eq(false)
+            expect(cmdi.overall_action).to be_nil
+            expect(cmdi.compound_statement_rule).to be_nil
+            expect(cmdi.command_rules).to eq({})
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with no data" do
+          it "should have disabled ip blocking" do
+            cmdi = CommandInjectionPolicy.from_json({
+              "policy_id" => "policy_id",
+              "version" => 1
+            })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to eq(1)
+            expect(cmdi.enabled).to eq(false)
+            expect(cmdi.overall_action).to be_nil
+            expect(cmdi.compound_statement_rule).to be_nil
+            expect(cmdi.command_rules).to eq({})
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with empty data" do
+          it "should have default values" do
+            cmdi = CommandInjectionPolicy.from_json({
+              "policy_id" => "policy_id",
+              "version" => 1,
+              "data" => {}
+            })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to eq(1)
+            expect(cmdi.enabled).to eq(false)
+            expect(cmdi.overall_action).to be_nil
+            expect(cmdi.compound_statement_rule).to be_nil
+            expect(cmdi.command_rules).to eq({})
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with empty command rules" do
+          it "should have default values" do
+            cmdi = CommandInjectionPolicy.from_json({
+              "policy_id" => "policy_id",
+              "version" => 1,
+              "data" => {
+                "command_rules" => []
+              }
+            })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to eq(1)
+            expect(cmdi.enabled).to eq(false)
+            expect(cmdi.overall_action).to be_nil
+            expect(cmdi.compound_statement_rule).to be_nil
+            expect(cmdi.command_rules).to eq({})
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with empty compount statement rules" do
+          it "should have default values" do
+            cmdi = CommandInjectionPolicy.from_json({
+              "policy_id" => "policy_id",
+              "version" => 1,
+              "data" => {
+                "compound_statement_rules" => []
+              }
+            })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to eq(1)
+            expect(cmdi.enabled).to eq(false)
+            expect(cmdi.overall_action).to be_nil
+            expect(cmdi.compound_statement_rule).to be_nil
+            expect(cmdi.command_rules).to eq({})
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with populated command rules" do
+          it "should have default values" do
+            cmdi = CommandInjectionPolicy.from_json({
+              "policy_id" => "policy_id",
+              "version" => 1,
+              "data" => {
+                "command_rules" => [
+                  {"rule_id" => "1", "action" => "block"},
+                  {"rule_id" => "2", "command" => "nc", "action" => "ignore"}
+                ]
+              }
+            })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to eq(1)
+            expect(cmdi.enabled).to eq(true)
+            expect(cmdi.overall_action).to_not be_nil
+            expect(cmdi.overall_action.rule_id).to eq("1")
+            expect(cmdi.overall_action.action).to eq(CommandRule::BLOCK)
+            expect(cmdi.overall_action.command).to be_nil
+            expect(cmdi.command_rules.size).to eq(1)
+            expect(cmdi.command_rules["nc"]).to_not be_nil
+            expect(cmdi.command_rules["nc"].rule_id).to eq("2")
+            expect(cmdi.command_rules["nc"].action).to eq(CommandRule::IGNORE)
+            expect(cmdi.command_rules["nc"].command).to eq("nc")
+            expect(cmdi.compound_statement_rule).to be_nil
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with populated compound statement rules" do
+          it "should have default values" do
+            cmdi = CommandInjectionPolicy.from_json({
+              "policy_id" => "policy_id",
+              "version" => 1,
+              "data" => {
+                "compound_statement_rules" => [
+                  {"rule_id" => "3", "action" => "block"}
+                ]
+              }
+            })
+            expect(cmdi.policy_id).to eq("policy_id")
+            expect(cmdi.version).to eq(1)
+            expect(cmdi.enabled).to eq(true)
+            expect(cmdi.overall_action).to be_nil
+            expect(cmdi.command_rules).to eq({})
+            expect(cmdi.compound_statement_rule).to_not be_nil
+            expect(cmdi.compound_statement_rule.rule_id).to eq("3")
+            expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
+            expect(cmdi.compound_statement_rule.command).to be_nil
+            expect(cmdi.collect_full_commandline).to eq(false)
+          end
+        end
+        context "with populated collect_full_commandline" do
+          context "as nil" do
+            it "should have collect_full_commandline disabled" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "collect_full_commandline" => nil,
+                  "compound_statement_rules" => [
+                    {"rule_id" => "3", "action" => "block"}
+                  ]
+                }
+              })
+              expect(cmdi.policy_id).to eq("policy_id")
+              expect(cmdi.version).to eq(1)
+              expect(cmdi.enabled).to eq(true)
+              expect(cmdi.overall_action).to be_nil
+              expect(cmdi.command_rules).to eq({})
+              expect(cmdi.compound_statement_rule).to_not be_nil
+              expect(cmdi.compound_statement_rule.rule_id).to eq("3")
+              expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
+              expect(cmdi.compound_statement_rule.command).to be_nil
+              expect(cmdi.collect_full_commandline).to eq(false)
+            end
+          end
+          context "as false" do
+            it "should have collect_full_commandline disabled" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "collect_full_commandline" => false,
+                  "compound_statement_rules" => [
+                    {"rule_id" => "3", "action" => "block"}
+                  ]
+                }
+              })
+              expect(cmdi.policy_id).to eq("policy_id")
+              expect(cmdi.version).to eq(1)
+              expect(cmdi.enabled).to eq(true)
+              expect(cmdi.overall_action).to be_nil
+              expect(cmdi.command_rules).to eq({})
+              expect(cmdi.compound_statement_rule).to_not be_nil
+              expect(cmdi.compound_statement_rule.rule_id).to eq("3")
+              expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
+              expect(cmdi.compound_statement_rule.command).to be_nil
+              expect(cmdi.collect_full_commandline).to eq(false)
+            end
+          end
+          context "as true" do
+            it "should have collect_full_commandline enabled" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "collect_full_commandline" => true,
+                  "compound_statement_rules" => [
+                    {"rule_id" => "3", "action" => "block"}
+                  ]
+                }
+              })
+              expect(cmdi.policy_id).to eq("policy_id")
+              expect(cmdi.version).to eq(1)
+              expect(cmdi.enabled).to eq(true)
+              expect(cmdi.overall_action).to be_nil
+              expect(cmdi.command_rules).to eq({})
+              expect(cmdi.compound_statement_rule).to_not be_nil
+              expect(cmdi.compound_statement_rule.rule_id).to eq("3")
+              expect(cmdi.compound_statement_rule.action).to eq(CommandRule::BLOCK)
+              expect(cmdi.compound_statement_rule.command).to be_nil
+              expect(cmdi.collect_full_commandline).to eq(true)
+            end
+          end
+        end
+      end
+      describe "#block?" do
+        context "with command rules" do
+          context "that are blank" do
+            it "should not block" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "collect_full_commandline" => true,
+                  "command_rules" => []
+                }
+              })
+              expect(TCellAgent).to_not receive(:send_event)
+              expect(
+                cmdi.block?("cat /etc/passwd | grep root", nil)
+              ).to eq(false)
+            end
+          end
+          context "that ignore all" do
+            it "should not block" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "collect_full_commandline" => true,
+                  "command_rules" => [{"rule_id" => "1", "action" => "ignore"}]
+                }
+              })
+              expect(TCellAgent).to_not receive(:send_event)
+              expect(
+                cmdi.block?("cat /etc/passwd | grep root", nil)
+              ).to eq(false)
+            end
+            context "and ignore cat" do
+              it "should not send an event" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "collect_full_commandline" => true,
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "ignore"},
+                      {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to_not receive(:send_event)
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(false)
+              end
+            end
+            context "and report cat" do
+              it "should send an event" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "collect_full_commandline" => true,
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "ignore"},
+                      {"rule_id" => "2", "action" => "report", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => false,
+                  "matches" => [{"rule_id" => "2", "command" => "cat"}],
+                  "full_commandline" => "cat /etc/passwd | grep root"
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(false)
+              end
+            end
+            context "and block cat" do
+              it "should send an event and block" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "collect_full_commandline" => true,
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "ignore"},
+                      {"rule_id" => "2", "action" => "block", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => true,
+                  "matches" => [{"rule_id" => "2", "command" => "cat"}],
+                  "full_commandline"=>"cat /etc/passwd | grep root"
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(true)
+              end
+            end
+          end
+          context "that report all" do
+            it "should send an event" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "command_rules" => [{"rule_id" => "1", "action" => "report"}]
+                }
+              })
+              expect(TCellAgent).to receive(:send_event).with({
+                "event_type" => "cmdi",
+                "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                "blocked" => false,
+                "matches" => [{"rule_id" => "1", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
+              })
+              expect(
+                cmdi.block?("cat /etc/passwd | grep root", nil)
+              ).to eq(false)
+            end
+            context "and ignore cat" do
+              it "should send an event for grep not cat" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "report"},
+                      {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => false,
+                  "matches" => [{"rule_id" => "1", "command" => "grep"}]
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(false)
+              end
+            end
+            context "and report cat" do
+              it "should send an event for grep and cat" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "report"},
+                      {"rule_id" => "2", "action" => "report", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => false,
+                  "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(false)
+              end
+            end
+            context "and block cat" do
+              it "should send an event for grep and cat and block" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "report"},
+                      {"rule_id" => "2", "action" => "block", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => true,
+                  "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(true)
+              end
+            end
+          end
+          context "that block all" do
+            it "should send an event and block" do
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "command_rules" => [{"rule_id" => "1", "action" => "block"}]
+                }
+              })
+              expect(TCellAgent).to receive(:send_event).with({
+                "event_type" => "cmdi",
+                "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                "blocked" => true,
+                "matches" => [{"rule_id" => "1", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
+              })
+              expect(
+                cmdi.block?("cat /etc/passwd | grep root", nil)
+              ).to eq(true)
+            end
+            context "and ignore cat" do
+              it "should send an event for grep not cat and block" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "block"},
+                      {"rule_id" => "2", "action" => "ignore", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => true,
+                  "matches" => [{"rule_id" => "1", "command" => "grep"}]
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(true)
+              end
+            end
+            context "and report cat" do
+              it "should send an event for grep and cat and block" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "block"},
+                      {"rule_id" => "2", "action" => "report", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => true,
+                  "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(true)
+              end
+            end
+            context "and block cat" do
+              it "should send an event for grep and cat and block" do
+                cmdi = CommandInjectionPolicy.from_json({
+                  "policy_id" => "policy_id",
+                  "version" => 1,
+                  "data" => {
+                    "command_rules" => [
+                      {"rule_id" => "1", "action" => "block"},
+                      {"rule_id" => "2", "action" => "block", "command" => "cat"}
+                    ]
+                  }
+                })
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => true,
+                  "matches" => [{"rule_id" => "2", "command" => "cat"}, {"rule_id" => "1", "command" => "grep"}]
+                })
+                expect(
+                  cmdi.block?("cat /etc/passwd | grep root", nil)
+                ).to eq(true)
+              end
+            end
+          end
+        end
+        context "with compound statement rules" do
+          before(:each) do
+            @tcell_context = TCellAgent::Instrumentation::TCellData.new
+            @tcell_context.request_method = "GET"
+            @tcell_context.ip_address = "1.1.1.1"
+            @tcell_context.route_id = "12345"
+            @tcell_context.hmac_session_id = "sldfjk2343"
+            @tcell_context.user_id = "user_id"
+          end
+          context "set to ignore" do
+            before(:each) do
+              @cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "compound_statement_rules" => [
+                    {"rule_id" => "1", "action" => "ignore"}
+                  ]
+                }
+              })
+            end
+            context "one parsed command" do
+              it "should not send events or block" do
+                expect(TCellAgent).to_not receive(:send_event)
+                expect(
+                  @cmdi.block?("cat /etc/passwd", @tcell_context)
+                ).to eq(false)
+              end
+            end
+            context "two parsed commands" do
+              it "should not send events or block" do
+                expect(TCellAgent).to_not receive(:send_event)
+                expect(
+                  @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
+                ).to eq(false)
+              end
+            end
+          end
+          context "set to report" do
+            before(:each) do
+              @cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "compound_statement_rules" => [
+                    {"rule_id" => "1", "action" => "report"}
+                  ]
+                }
+              })
+            end
+            context "one parsed command" do
+              it "should not send events or block" do
+                expect(TCellAgent).to_not receive(:send_event)
+                expect(
+                  @cmdi.block?("cat /etc/passwd", @tcell_context)
+                ).to eq(false)
+              end
+            end
+            context "two parsed commands" do
+              it "should send an event but not block" do
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [
+                    {"command" => "cat", "arg_count" => 1},
+                    {"command" => "grep", "arg_count" => 1}
+                  ],
+                  "blocked" => false,
+                  "matches" => [{"rule_id" => "1"}],
+                  "method" => "GET",
+                  "remote_address" => "1.1.1.1",
+                  "route_id" => "12345",
+                  "session_id" => "sldfjk2343",
+                  "user_id" => "user_id"
+                })
+                expect(
+                  @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
+                ).to eq(false)
+              end
+            end
+          end
+          context "set to block" do
+            before(:each) do
+              @cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "compound_statement_rules" => [
+                    {"rule_id" => "1", "action" => "block"}
+                  ]
+                }
+              })
+            end
+            context "one parsed command" do
+              it "should not send events or block" do
+                expect(TCellAgent).to_not receive(:send_event)
+                expect(
+                  @cmdi.block?("cat /etc/passwd", @tcell_context)
+                ).to eq(false)
+              end
+            end
+            context "two parsed commands" do
+              it "should send an event and block" do
+                expect(TCellAgent).to receive(:send_event).with({
+                  "event_type" => "cmdi",
+                  "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                  "blocked" => true,
+                  "matches" => [{"rule_id" => "1"}],
+                  "method" => "GET",
+                  "remote_address" => "1.1.1.1",
+                  "route_id" => "12345",
+                  "session_id" => "sldfjk2343",
+                  "user_id" => "user_id"
+                })
+                expect(
+                  @cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
+                ).to eq(true)
+              end
+            end
+          end
+          context "that conflict" do
+            it "only take the first one and ignore the rest" do
+              ## multiple compound statements present only first one is taken
+              cmdi = CommandInjectionPolicy.from_json({
+                "policy_id" => "policy_id",
+                "version" => 1,
+                "data" => {
+                  "compound_statement_rules" => [
+                    {"rule_id" => "1", "action" => "block"},
+                    {"rule_id" => "2", "action" => "ignore"}
+                  ]
+                }
+              })
+              expect(TCellAgent).to receive(:send_event).with({
+                "event_type" => "cmdi",
+                "commands" => [{"command" => "cat", "arg_count" => 1}, {"command" => "grep", "arg_count" => 1}],
+                "blocked" => true,
+                "matches" => [{"rule_id" => "1"}],
+                "method" => "GET",
+                "remote_address" => "1.1.1.1",
+                "route_id" => "12345",
+                "session_id" => "sldfjk2343",
+                "user_id" => "user_id"
+              })
+              expect(
+                cmdi.block?("cat /etc/passwd | grep root", @tcell_context)
+              ).to eq(true)
+            end
+          end
+        end
+      end
+    end
+  end
+end