From 498b8bce7fcb86015aa6e83259d6bd64208e3132 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 4 Oct 2021 17:29:06 -0700 Subject: [PATCH] Update automated tests to reflect evttypes behavior With the changes in https://github.com/falcosecurity/libs/pull/74, there isn't any need to warn about the order of operators and the evt.type field--the set of event types for a filter should be exact now regardless of the order of operators. So update tests that were logging those warnings to note that the warnings won't occur any more. Also, some tests more accurately *do* note that they have an overly permissive evttype (e.g. ones related to syscalls, which are uncommon and are evaluated for all event types) to reflect the new behavior. Finally, in unit tests create an actual sinsp filter instead of a gen_event_filter, which is the base class and shouldn't be created directly. Signed-off-by: Mark Stemm --- test/falco_tests.yaml | 19 +++++----------- test/rules/rule_append.yaml | 4 ++-- tests/engine/test_rulesets.cpp | 41 +++++++++++++++++++++------------- 3 files changed, 34 insertions(+), 30 deletions(-) diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml index df0c19fa509..efd576524da 100644 --- a/test/falco_tests.yaml +++ b/test/falco_tests.yaml @@ -32,20 +32,10 @@ trace_files: !mux - leading_not - not_equals_at_end - not_at_end - - not_before_trailing_evttype - - not_equals_before_trailing_evttype - not_equals_and_not - - not_equals_before_in - - not_before_in - - not_in_before_in - - leading_in_not_equals_before_evttype - leading_in_not_equals_at_evttype - not_with_evttypes - not_with_evttypes_addl - - not_equals_before_evttype - - not_equals_before_in_evttype - - not_before_evttype - - not_before_evttype_using_in rules_events: - no_warnings: [execve] - no_evttype: [all] @@ -1142,6 +1132,8 @@ trace_files: !mux detect_level: INFO rules_file: - rules/syscalls.yaml + rules_warning: + - detect_madvise detect_counts: - detect_madvise: 2 - detect_open: 2 @@ -1160,7 +1152,8 @@ trace_files: !mux skip_unknown_noevt: detect: False - stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody + rules_warning: + - Contains Unknown Event And Skipping rules_file: - rules/skip_unknown_evt.yaml trace_file: trace_files/cat_write.scap @@ -1175,7 +1168,7 @@ trace_files: !mux exit_status: 1 stderr_contains: |+ Could not load rules file.*skip_unknown_error.yaml: 1 errors: - rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody + Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody --- - rule: Contains Unknown Event And Not Skipping desc: Contains an unknown event @@ -1192,7 +1185,7 @@ trace_files: !mux exit_status: 1 stderr_contains: |+ Could not load rules file .*skip_unknown_unspec.yaml: 1 errors: - rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody + Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody --- - rule: Contains Unknown Event And Unspecified desc: Contains an unknown event diff --git a/test/rules/rule_append.yaml b/test/rules/rule_append.yaml index 5441947ffcb..0a289f6e969 100644 --- a/test/rules/rule_append.yaml +++ b/test/rules/rule_append.yaml @@ -16,10 +16,10 @@ # - rule: my_rule desc: A process named cat does an open - condition: evt.type=open and fd.name=not-a-real-file + condition: (evt.type=open and fd.name=not-a-real-file) output: "An open of /dev/null was seen (command=%proc.cmdline)" priority: WARNING - rule: my_rule append: true - condition: or fd.name=/dev/null + condition: or (evt.type=open and fd.name=/dev/null) diff --git a/tests/engine/test_rulesets.cpp b/tests/engine/test_rulesets.cpp index 45e93431b86..5fbdff99e12 100644 --- a/tests/engine/test_rulesets.cpp +++ b/tests/engine/test_rulesets.cpp @@ -26,10 +26,21 @@ static uint16_t non_default_ruleset = 3; static uint16_t other_non_default_ruleset = 2; static std::set tags = {"some_tag", "some_other_tag"}; +static std::shared_ptr create_filter() +{ + // The actual contents of the filters don't matter here. + sinsp_filter_compiler compiler(NULL, "evt.type=open"); + sinsp_filter *f = compiler.compile(); + + std::shared_ptr ret(f); + + return ret; +} + TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -44,7 +55,7 @@ TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -63,7 +74,7 @@ TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[ruleset TEST_CASE("Should not enable for exact match different rule name", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -75,7 +86,7 @@ TEST_CASE("Should not enable for exact match different rule name", "[rulesets]") TEST_CASE("Should enable/disable for exact match w/ substring and default ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -90,7 +101,7 @@ TEST_CASE("Should enable/disable for exact match w/ substring and default rulese TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -102,7 +113,7 @@ TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]") TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -117,7 +128,7 @@ TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[ruleset TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -132,7 +143,7 @@ TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[ruleset TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -147,7 +158,7 @@ TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rule TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; r.add(rule_name, tags, filter); @@ -166,7 +177,7 @@ TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rul TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; std::set want_tags = {"some_tag"}; @@ -182,7 +193,7 @@ TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]") TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; std::set want_tags = {"some_tag"}; @@ -202,7 +213,7 @@ TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]") TEST_CASE("Should not enable for different tags", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; std::set want_tags = {"some_different_tag"}; @@ -215,7 +226,7 @@ TEST_CASE("Should not enable for different tags", "[rulesets]") TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]") { falco_ruleset r; - std::shared_ptr filter(new gen_event_filter()); + std::shared_ptr filter = create_filter(); string rule_name = "one_rule"; std::set want_tags = {"some_tag", "some_different_tag"}; @@ -231,12 +242,12 @@ TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]") TEST_CASE("Should enable/disable for incremental adding tags", "[rulesets]") { falco_ruleset r; - std::shared_ptr rule1_filter(new gen_event_filter()); + std::shared_ptr rule1_filter = create_filter(); string rule1_name = "one_rule"; std::set rule1_tags = {"rule1_tag"}; r.add(rule1_name, rule1_tags, rule1_filter); - std::shared_ptr rule2_filter(new gen_event_filter()); + std::shared_ptr rule2_filter = create_filter(); string rule2_name = "two_rule"; std::set rule2_tags = {"rule2_tag"}; r.add(rule2_name, rule2_tags, rule2_filter);