-
Notifications
You must be signed in to change notification settings - Fork 392
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: Add initial e2e Tracee launch and detect test * feat: Add separate targets for BTF on/off * feat: Refactor various tracee launch subtests * feat: Add TestWebhookIntegration for webhook integration test Signed-off-by: Simar <simar@linux.com> * feat: Replace fmt.Println with t.Log directives Signed-off-by: Simar <simar@linux.com> * fix: Replace assert with require, to fail early when tracee fails to launch Signed-off-by: Simar <simar@linux.com>
- Loading branch information
Showing
4 changed files
with
145 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
module github.com/aquasecurity/tracee/tests | ||
|
||
go 1.16 | ||
|
||
require github.com/stretchr/testify v1.7.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= | ||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= | ||
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | ||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= | ||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= | ||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
package tests | ||
|
||
import ( | ||
"fmt" | ||
"io/ioutil" | ||
"net/http" | ||
"net/http/httptest" | ||
"os/exec" | ||
"strings" | ||
"testing" | ||
"time" | ||
|
||
"github.com/stretchr/testify/require" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
const ( | ||
waitTime = time.Second * 3 | ||
traceeDockerRunBTFEnabled = `run --detach --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -t aquasec/tracee:latest` | ||
traceeDockerRunBTFDisabled = `run --detach --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -it aquasec/tracee:latest` | ||
traceeDockerRunWithWebhook = `run --detach --name tracee --rm --pid=host --net=host --privileged -v /tmp/tracee:/tmp/tracee -t aquasec/tracee:latest --webhook=%s --webhook-template=%s --webhook-content-type=application/json` | ||
) | ||
|
||
func launchTracee(t *testing.T, traceeCmd string) string { | ||
t.Helper() | ||
|
||
t.Log("Launching Tracee container...") | ||
b, err := exec.Command("docker", strings.Split(traceeCmd, " ")...).CombinedOutput() | ||
require.NoError(t, err) | ||
containerID := strings.TrimSpace(string(b)) | ||
t.Log("Tracee container ID: ", containerID) | ||
return containerID | ||
} | ||
|
||
func runCommand(t *testing.T, cmd string, args ...string) string { | ||
t.Helper() | ||
|
||
t.Log("Running", cmd, args, "...") | ||
output, err := exec.Command(cmd, args...).CombinedOutput() | ||
assert.NoError(t, err) | ||
return string(output) | ||
} | ||
|
||
// TestLaunchTracee tests the basic sanity workflow of running tracee | ||
// and detecting an attack by simulating a signature trigger | ||
func TestLaunchTracee(t *testing.T) { | ||
t.Run("BTF enabled", func(t *testing.T) { | ||
containerID := launchTracee(t, traceeDockerRunBTFEnabled) | ||
|
||
// wait for tracee to get ready | ||
time.Sleep(waitTime) | ||
|
||
// do an `strace ls` | ||
_ = runCommand(t, "strace", "ls") | ||
|
||
// wait for tracee to detect | ||
time.Sleep(waitTime) | ||
|
||
// get tracee container logs | ||
containerLogs := runCommand(t, "docker", "logs", containerID) | ||
|
||
// assert results | ||
t.Log("Asserting Logs...") | ||
assert.Contains(t, string(containerLogs), `Signature ID: TRC-2`) | ||
|
||
// kill the container | ||
t.Log("Terminating the Tracee container...") | ||
assert.NoError(t, exec.Command("docker", "kill", containerID).Run()) | ||
}) | ||
|
||
t.Run("BTF disabled", func(t *testing.T) { | ||
containerID := launchTracee(t, traceeDockerRunBTFDisabled) | ||
|
||
// wait for tracee to get ready | ||
time.Sleep(waitTime) | ||
|
||
// do an `strace ls` | ||
_ = runCommand(t, "strace", "ls") | ||
|
||
// wait for tracee to detect | ||
time.Sleep(waitTime) | ||
|
||
// get tracee container logs | ||
containerLogs := runCommand(t, "docker", "logs", containerID) | ||
|
||
// assert results | ||
t.Log("Asserting Logs...") | ||
assert.Contains(t, string(containerLogs), `Signature ID: TRC-2`) | ||
|
||
// kill the container | ||
t.Log("Terminating the Tracee container...") | ||
assert.NoError(t, exec.Command("docker", "kill", containerID).Run()) | ||
}) | ||
} | ||
|
||
// TestWebhookIntegration tests the same workflow of running tracee | ||
// and triggering a signature but also asserts the results of sending | ||
// the payload to the HTTP webhook interface | ||
func TestWebhookIntegration(t *testing.T) { | ||
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
t.Log("Asserting Logs...") | ||
b, _ := ioutil.ReadAll(r.Body) | ||
assert.Contains(t, string(b), `"Properties":{"MITRE ATT\u0026CK":"Defense Evasion: Execution Guardrails","Severity":3}`) | ||
assert.Equal(t, "application/json", r.Header["Content-Type"][0]) | ||
})) | ||
defer ts.Close() | ||
|
||
containerID := launchTracee(t, fmt.Sprintf(traceeDockerRunWithWebhook, ts.URL, "/tracee/templates/rawjson.tmpl")) | ||
|
||
// wait for tracee to get ready | ||
time.Sleep(waitTime) | ||
|
||
// do an `strace ls` | ||
_ = runCommand(t, "strace", "ls") | ||
|
||
// wait for tracee to detect | ||
time.Sleep(waitTime) | ||
|
||
// get tracee container logs | ||
containerLogs := runCommand(t, "docker", "logs", containerID) | ||
|
||
// assert results | ||
assert.NotContains(t, containerLogs, `error sending to webhook`) | ||
|
||
// kill the container | ||
t.Log("Terminating the Tracee container...") | ||
assert.NoError(t, exec.Command("docker", "kill", containerID).Run()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters