Update automated tests to reflect evttypes behavior

With the changes in falcosecurity/libs#74, there isn't any need to warn about the order of operators and the evt.type field--the set of event types for a filter should be exact now regardless of the order of operators. So update tests that were logging those warnings to note that the warnings won't occur any more. Also, some tests more accurately *do* note that they have an overly permissive evttype (e.g. ones related to syscalls, which are uncommon and are evaluated for all event types) to reflect the new behavior. Finally, in unit tests create an actual sinsp filter instead of a gen_event_filter, which is the base class and shouldn't be created directly. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
falcosecurity · Oct 11, 2021 · 498b8bc · 498b8bc
1 parent ffd9dda
commit 498b8bc
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 30 deletions.
diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
@@ -32,20 +32,10 @@ trace_files: !mux
       - leading_not
       - not_equals_at_end
       - not_at_end
-      - not_before_trailing_evttype
-      - not_equals_before_trailing_evttype
       - not_equals_and_not
-      - not_equals_before_in
-      - not_before_in
-      - not_in_before_in
-      - leading_in_not_equals_before_evttype
       - leading_in_not_equals_at_evttype
       - not_with_evttypes
       - not_with_evttypes_addl
-      - not_equals_before_evttype
-      - not_equals_before_in_evttype
-      - not_before_evttype
-      - not_before_evttype_using_in
     rules_events:
       - no_warnings: [execve]
       - no_evttype: [all]
@@ -1142,6 +1132,8 @@ trace_files: !mux
     detect_level: INFO
     rules_file:
       - rules/syscalls.yaml
+    rules_warning:
+      - detect_madvise
     detect_counts:
       - detect_madvise: 2
       - detect_open: 2
@@ -1160,7 +1152,8 @@ trace_files: !mux
 
   skip_unknown_noevt:
     detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
+    rules_warning:
+      - Contains Unknown Event And Skipping
     rules_file:
       - rules/skip_unknown_evt.yaml
     trace_file: trace_files/cat_write.scap
@@ -1175,7 +1168,7 @@ trace_files: !mux
     exit_status: 1
     stderr_contains: |+
       Could not load rules file.*skip_unknown_error.yaml: 1 errors:
-      rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
       ---
       - rule: Contains Unknown Event And Not Skipping
         desc: Contains an unknown event
@@ -1192,7 +1185,7 @@ trace_files: !mux
     exit_status: 1
     stderr_contains: |+
       Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
-      rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
       ---
       - rule: Contains Unknown Event And Unspecified
         desc: Contains an unknown event

diff --git a/test/rules/rule_append.yaml b/test/rules/rule_append.yaml
@@ -16,10 +16,10 @@
 #
 - rule: my_rule
   desc: A process named cat does an open
-  condition: evt.type=open and fd.name=not-a-real-file
+  condition: (evt.type=open and fd.name=not-a-real-file)
   output: "An open of /dev/null was seen (command=%proc.cmdline)"
   priority: WARNING
 
 - rule: my_rule
   append: true
-  condition: or fd.name=/dev/null
+  condition: or (evt.type=open and fd.name=/dev/null)
diff --git a/tests/engine/test_rulesets.cpp b/tests/engine/test_rulesets.cpp
@@ -26,10 +26,21 @@ static uint16_t non_default_ruleset = 3;
 static uint16_t other_non_default_ruleset = 2;
 static std::set<std::string> tags = {"some_tag", "some_other_tag"};
 
+static std::shared_ptr<gen_event_filter> create_filter()
+{
+	// The actual contents of the filters don't matter here.
+	sinsp_filter_compiler compiler(NULL, "evt.type=open");
+	sinsp_filter *f = compiler.compile();
+
+	std::shared_ptr<gen_event_filter> ret(f);
+
+	return ret;
+}
+
 TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -44,7 +55,7 @@ TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets
 TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -63,7 +74,7 @@ TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[ruleset
 TEST_CASE("Should not enable for exact match different rule name", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -75,7 +86,7 @@ TEST_CASE("Should not enable for exact match different rule name", "[rulesets]")
 TEST_CASE("Should enable/disable for exact match w/ substring and default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -90,7 +101,7 @@ TEST_CASE("Should enable/disable for exact match w/ substring and default rulese
 TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -102,7 +113,7 @@ TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]")
 TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -117,7 +128,7 @@ TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[ruleset
 TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -132,7 +143,7 @@ TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[ruleset
 TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -147,7 +158,7 @@ TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rule
 TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -166,7 +177,7 @@ TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rul
 TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag"};
 
@@ -182,7 +193,7 @@ TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]")
 TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag"};
 
@@ -202,7 +213,7 @@ TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]")
 TEST_CASE("Should not enable for different tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_different_tag"};
 
@@ -215,7 +226,7 @@ TEST_CASE("Should not enable for different tags", "[rulesets]")
 TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag", "some_different_tag"};
 
@@ -231,12 +242,12 @@ TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]")
 TEST_CASE("Should enable/disable for incremental adding tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> rule1_filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> rule1_filter = create_filter();
 	string rule1_name = "one_rule";
 	std::set<std::string> rule1_tags = {"rule1_tag"};
 	r.add(rule1_name, rule1_tags, rule1_filter);
 
-	std::shared_ptr<gen_event_filter> rule2_filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> rule2_filter = create_filter();
 	string rule2_name = "two_rule";
 	std::set<std::string> rule2_tags = {"rule2_tag"};
 	r.add(rule2_name, rule2_tags, rule2_filter);