Tracee end-to-end tests (#1033)

* feat: Add initial e2e Tracee launch and detect test * feat: Add separate targets for BTF on/off * feat: Refactor various tracee launch subtests * feat: Add TestWebhookIntegration for webhook integration test Signed-off-by: Simar <simar@linux.com> * feat: Replace fmt.Println with t.Log directives Signed-off-by: Simar <simar@linux.com> * fix: Replace assert with require, to fail early when tracee fails to launch Signed-off-by: Simar <simar@linux.com>
aquasecurity · Oct 8, 2021 · 97ac6ec · 97ac6ec
1 parent 32c3e1c
commit 97ac6ec
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 2 deletions.
diff --git a/tests/go.mod b/tests/go.mod
@@ -0,0 +1,5 @@
+module github.com/aquasecurity/tracee/tests
+
+go 1.16
+
+require github.com/stretchr/testify v1.7.0
diff --git a/tests/go.sum b/tests/go.sum
@@ -0,0 +1,11 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/tests/tracee_test.go b/tests/tracee_test.go
@@ -0,0 +1,129 @@
+package tests
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os/exec"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	waitTime                   = time.Second * 3
+	traceeDockerRunBTFEnabled  = `run --detach --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -t aquasec/tracee:latest`
+	traceeDockerRunBTFDisabled = `run --detach --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -it aquasec/tracee:latest`
+	traceeDockerRunWithWebhook = `run --detach --name tracee --rm --pid=host --net=host --privileged -v /tmp/tracee:/tmp/tracee -t aquasec/tracee:latest --webhook=%s --webhook-template=%s --webhook-content-type=application/json`
+)
+
+func launchTracee(t *testing.T, traceeCmd string) string {
+	t.Helper()
+
+	t.Log("Launching Tracee container...")
+	b, err := exec.Command("docker", strings.Split(traceeCmd, " ")...).CombinedOutput()
+	require.NoError(t, err)
+	containerID := strings.TrimSpace(string(b))
+	t.Log("Tracee container ID: ", containerID)
+	return containerID
+}
+
+func runCommand(t *testing.T, cmd string, args ...string) string {
+	t.Helper()
+
+	t.Log("Running", cmd, args, "...")
+	output, err := exec.Command(cmd, args...).CombinedOutput()
+	assert.NoError(t, err)
+	return string(output)
+}
+
+// TestLaunchTracee tests the basic sanity workflow of running tracee
+// and detecting an attack by simulating a signature trigger
+func TestLaunchTracee(t *testing.T) {
+	t.Run("BTF enabled", func(t *testing.T) {
+		containerID := launchTracee(t, traceeDockerRunBTFEnabled)
+
+		// wait for tracee to get ready
+		time.Sleep(waitTime)
+
+		// do an `strace ls`
+		_ = runCommand(t, "strace", "ls")
+
+		// wait for tracee to detect
+		time.Sleep(waitTime)
+
+		// get tracee container logs
+		containerLogs := runCommand(t, "docker", "logs", containerID)
+
+		// assert results
+		t.Log("Asserting Logs...")
+		assert.Contains(t, string(containerLogs), `Signature ID: TRC-2`)
+
+		// kill the container
+		t.Log("Terminating the Tracee container...")
+		assert.NoError(t, exec.Command("docker", "kill", containerID).Run())
+	})
+
+	t.Run("BTF disabled", func(t *testing.T) {
+		containerID := launchTracee(t, traceeDockerRunBTFDisabled)
+
+		// wait for tracee to get ready
+		time.Sleep(waitTime)
+
+		// do an `strace ls`
+		_ = runCommand(t, "strace", "ls")
+
+		// wait for tracee to detect
+		time.Sleep(waitTime)
+
+		// get tracee container logs
+		containerLogs := runCommand(t, "docker", "logs", containerID)
+
+		// assert results
+		t.Log("Asserting Logs...")
+		assert.Contains(t, string(containerLogs), `Signature ID: TRC-2`)
+
+		// kill the container
+		t.Log("Terminating the Tracee container...")
+		assert.NoError(t, exec.Command("docker", "kill", containerID).Run())
+	})
+}
+
+// TestWebhookIntegration tests the same workflow of running tracee
+// and triggering a signature but also asserts the results of sending
+// the payload to the HTTP webhook interface
+func TestWebhookIntegration(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		t.Log("Asserting Logs...")
+		b, _ := ioutil.ReadAll(r.Body)
+		assert.Contains(t, string(b), `"Properties":{"MITRE ATT\u0026CK":"Defense Evasion: Execution Guardrails","Severity":3}`)
+		assert.Equal(t, "application/json", r.Header["Content-Type"][0])
+	}))
+	defer ts.Close()
+
+	containerID := launchTracee(t, fmt.Sprintf(traceeDockerRunWithWebhook, ts.URL, "/tracee/templates/rawjson.tmpl"))
+
+	// wait for tracee to get ready
+	time.Sleep(waitTime)
+
+	// do an `strace ls`
+	_ = runCommand(t, "strace", "ls")
+
+	// wait for tracee to detect
+	time.Sleep(waitTime)
+
+	// get tracee container logs
+	containerLogs := runCommand(t, "docker", "logs", containerID)
+
+	// assert results
+	assert.NotContains(t, containerLogs, `error sending to webhook`)
+
+	// kill the container
+	t.Log("Terminating the Tracee container...")
+	assert.NoError(t, exec.Command("docker", "kill", containerID).Run())
+}
diff --git a/tracee-rules/go.sum b/tracee-rules/go.sum
@@ -54,8 +54,6 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/aquasecurity/tracee/tracee-ebpf/external v0.0.0-20210727091827-bbe411a2a167 h1:QpuLpMxwd9fFH8p2aZ4umKqfpI9/6vf37D/fvLUyHMk=
-github.com/aquasecurity/tracee/tracee-ebpf/external v0.0.0-20210727091827-bbe411a2a167/go.mod h1:C6aED/3HEi4aKSyjtCBWC//7EDXVlV/cQAdDgSbF1eM=
 github.com/aquasecurity/tracee/tracee-ebpf/external v0.0.0-20210922213431-07969faccea0 h1:W2asvJ+Zh4ybmNhjySSgy0O53RDaDH373qCp87jPWbg=
 github.com/aquasecurity/tracee/tracee-ebpf/external v0.0.0-20210922213431-07969faccea0/go.mod h1:C6aED/3HEi4aKSyjtCBWC//7EDXVlV/cQAdDgSbF1eM=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=