Update automated tests to reflect evttypes behavior

With the changes in https://github.com/falcosecurity/libs/pull/74, there isn't any need to warn about the order of operators and the evt.type field--the set of event types for a filter should be exact now regardless of the order of operators. So update tests that were logging those warnings to note that the warnings won't occur any more. Also, some tests more accurately *do* note that they have an overly permissive evttype (e.g. ones related to syscalls, which are uncommon and are evaluated for all event types) to reflect the new behavior. Finally, in unit tests create an actual sinsp filter instead of a gen_event_filter, which is the base class and shouldn't be created directly. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-10-21 19:44:57 +00:00 · 2021-10-04 17:29:06 -07:00
parent 204892816b
commit 10d47cb1f5
3 changed files with 34 additions and 30 deletions
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -32,20 +32,10 @@ trace_files: !mux
      - leading_not
      - not_equals_at_end
      - not_at_end
-      - not_before_trailing_evttype
-      - not_equals_before_trailing_evttype
      - not_equals_and_not
-      - not_equals_before_in
-      - not_before_in
-      - not_in_before_in
-      - leading_in_not_equals_before_evttype
      - leading_in_not_equals_at_evttype
      - not_with_evttypes
      - not_with_evttypes_addl
-      - not_equals_before_evttype
-      - not_equals_before_in_evttype
-      - not_before_evttype
-      - not_before_evttype_using_in
    rules_events:
      - no_warnings: [execve]
      - no_evttype: [all]
@@ -1142,6 +1132,8 @@ trace_files: !mux
    detect_level: INFO
    rules_file:
      - rules/syscalls.yaml
+    rules_warning:
+      - detect_madvise
    detect_counts:
      - detect_madvise: 2
      - detect_open: 2
@@ -1160,7 +1152,8 @@ trace_files: !mux

  skip_unknown_noevt:
    detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
+    rules_warning:
+      - Contains Unknown Event And Skipping
    rules_file:
      - rules/skip_unknown_evt.yaml
    trace_file: trace_files/cat_write.scap
@@ -1175,7 +1168,7 @@ trace_files: !mux
    exit_status: 1
    stderr_contains: |+
      Could not load rules file.*skip_unknown_error.yaml: 1 errors:
-      rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
      ---
      - rule: Contains Unknown Event And Not Skipping
        desc: Contains an unknown event
@@ -1192,7 +1185,7 @@ trace_files: !mux
    exit_status: 1
    stderr_contains: |+
      Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
-      rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
      ---
      - rule: Contains Unknown Event And Unspecified
        desc: Contains an unknown event
--- a/test/rules/rule_append.yaml
+++ b/test/rules/rule_append.yaml
@@ -16,10 +16,10 @@
 #
 - rule: my_rule
  desc: A process named cat does an open
-  condition: evt.type=open and fd.name=not-a-real-file
+  condition: (evt.type=open and fd.name=not-a-real-file)
  output: "An open of /dev/null was seen (command=%proc.cmdline)"
  priority: WARNING

 - rule: my_rule
  append: true
-  condition: or fd.name=/dev/null
+  condition: or (evt.type=open and fd.name=/dev/null)