mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-20 01:17:46 +00:00
cleanup(tests): update configure_interesting_sets to use test_falco_engine
Signed-off-by: Luca Guerra <luca@guerra.sh>
This commit is contained in:
Luca Guerra
poiana
@@ -16,7 +16,9 @@ limitations under the License.
|
|||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <falco_engine.h>
|
#include "../../../test_falco_engine.h"
|
||||||
|
|
||||||
|
#include <utility>
|
||||||
|
|
||||||
#include <falco/app/app.h>
|
#include <falco/app/app.h>
|
||||||
#include "app_action_helpers.h"
|
#include "app_action_helpers.h"
|
||||||
@@ -57,14 +59,11 @@ static strset_t s_sample_nonsyscall_filters = {
|
|||||||
"evt.type in (procexit, switch, pluginevent, container)"};
|
"evt.type in (procexit, switch, pluginevent, container)"};
|
||||||
|
|
||||||
|
|
||||||
// todo(jasondellaluce): once we have deeper and more modular
|
static std::string ruleset_from_filters(const strset_t& filters)
|
||||||
// control on the falco engine, make this a little nicer
|
|
||||||
static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& filters)
|
|
||||||
{
|
{
|
||||||
// craft a fake ruleset with the given filters
|
|
||||||
int n_rules = 0;
|
|
||||||
std::string dummy_rules;
|
std::string dummy_rules;
|
||||||
falco::load_result::rules_contents_t content = {{"dummy_rules.yaml", dummy_rules}};
|
falco::load_result::rules_contents_t content = {{"dummy_rules.yaml", dummy_rules}};
|
||||||
|
int n_rules = 0;
|
||||||
for (const auto& f : filters)
|
for (const auto& f : filters)
|
||||||
{
|
{
|
||||||
n_rules++;
|
n_rules++;
|
||||||
@@ -76,28 +75,18 @@ static std::shared_ptr<falco_engine> mock_engine_from_filters(const strset_t& fi
|
|||||||
+ " priority: CRITICAL\n\n";
|
+ " priority: CRITICAL\n\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
// create a falco engine and load the ruleset
|
return dummy_rules;
|
||||||
sinsp_filter_check_list filterlist;
|
|
||||||
std::shared_ptr<falco_engine> res(new falco_engine());
|
|
||||||
auto filter_factory = std::shared_ptr<sinsp_filter_factory>(
|
|
||||||
new sinsp_filter_factory(nullptr, filterlist));
|
|
||||||
auto formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
|
|
||||||
new sinsp_evt_formatter_factory(nullptr, filterlist));
|
|
||||||
res->add_source(s_sample_source, filter_factory, formatter_factory);
|
|
||||||
res->load_rules(dummy_rules, "dummy_rules.yaml");
|
|
||||||
res->enable_rule("", true, s_sample_ruleset);
|
|
||||||
return res;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, engine_codes_syscalls_set)
|
TEST_F(test_falco_engine, engine_codes_syscalls_set)
|
||||||
{
|
{
|
||||||
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
auto engine = mock_engine_from_filters(s_sample_filters);
|
auto enabled_count = m_engine->num_rules_for_ruleset(s_sample_ruleset);
|
||||||
auto enabled_count = engine->num_rules_for_ruleset(s_sample_ruleset);
|
|
||||||
ASSERT_EQ(enabled_count, s_sample_filters.size());
|
ASSERT_EQ(enabled_count, s_sample_filters.size());
|
||||||
|
|
||||||
// test if event code names were extracted from each rule in test ruleset.
|
// test if event code names were extracted from each rule in test ruleset.
|
||||||
auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
|
auto rules_event_set = m_engine->event_codes_for_ruleset(s_sample_source);
|
||||||
auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
|
auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
|
||||||
ASSERT_NAMES_EQ(rules_event_names, strset_t({
|
ASSERT_NAMES_EQ(rules_event_names, strset_t({
|
||||||
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container", "asyncevent"}));
|
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read", "container", "asyncevent"}));
|
||||||
@@ -105,30 +94,30 @@ TEST(ConfigureInterestingSets, engine_codes_syscalls_set)
|
|||||||
// test if sc code names were extracted from each rule in test ruleset.
|
// test if sc code names were extracted from each rule in test ruleset.
|
||||||
// note, this is not supposed to contain "container", as that's an event
|
// note, this is not supposed to contain "container", as that's an event
|
||||||
// not mapped through the ppm_sc_code enumerative.
|
// not mapped through the ppm_sc_code enumerative.
|
||||||
auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
|
auto rules_sc_set = m_engine->sc_codes_for_ruleset(s_sample_source);
|
||||||
auto rules_sc_names = libsinsp::events::sc_set_to_event_names(rules_sc_set);
|
auto rules_sc_names = libsinsp::events::sc_set_to_event_names(rules_sc_set);
|
||||||
ASSERT_NAMES_EQ(rules_sc_names, strset_t({
|
ASSERT_NAMES_EQ(rules_sc_names, strset_t({
|
||||||
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
|
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read"}));
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, preconditions_postconditions)
|
TEST_F(test_falco_engine, preconditions_postconditions)
|
||||||
{
|
{
|
||||||
auto mock_engine = mock_engine_from_filters(s_sample_filters);
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
falco::app::state s1;
|
falco::app::state s1;
|
||||||
|
|
||||||
s1.engine = mock_engine;
|
s1.engine = nullptr;
|
||||||
s1.config = nullptr;
|
s1.config = std::make_shared<falco_configuration>();
|
||||||
auto result = falco::app::actions::configure_interesting_sets(s1);
|
auto result = falco::app::actions::configure_interesting_sets(s1);
|
||||||
ASSERT_FALSE(result.success);
|
ASSERT_FALSE(result.success);
|
||||||
ASSERT_NE(result.errstr, "");
|
ASSERT_NE(result.errstr, "");
|
||||||
|
|
||||||
s1.engine = nullptr;
|
s1.engine = m_engine;
|
||||||
s1.config = std::make_shared<falco_configuration>();
|
s1.config = nullptr;
|
||||||
result = falco::app::actions::configure_interesting_sets(s1);
|
result = falco::app::actions::configure_interesting_sets(s1);
|
||||||
ASSERT_FALSE(result.success);
|
ASSERT_FALSE(result.success);
|
||||||
ASSERT_NE(result.errstr, "");
|
ASSERT_NE(result.errstr, "");
|
||||||
|
|
||||||
s1.engine = mock_engine;
|
|
||||||
s1.config = std::make_shared<falco_configuration>();
|
s1.config = std::make_shared<falco_configuration>();
|
||||||
result = falco::app::actions::configure_interesting_sets(s1);
|
result = falco::app::actions::configure_interesting_sets(s1);
|
||||||
ASSERT_TRUE(result.success);
|
ASSERT_TRUE(result.success);
|
||||||
@@ -141,17 +130,18 @@ TEST(ConfigureInterestingSets, preconditions_postconditions)
|
|||||||
ASSERT_EQ(prev_selection_size, s1.selected_sc_set.size());
|
ASSERT_EQ(prev_selection_size, s1.selected_sc_set.size());
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
|
TEST_F(test_falco_engine, engine_codes_nonsyscalls_set)
|
||||||
{
|
{
|
||||||
auto filters = s_sample_filters;
|
auto filters = s_sample_filters;
|
||||||
filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
|
filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
|
||||||
filters.insert(s_sample_nonsyscall_filters.begin(), s_sample_nonsyscall_filters.end());
|
filters.insert(s_sample_nonsyscall_filters.begin(), s_sample_nonsyscall_filters.end());
|
||||||
|
|
||||||
auto engine = mock_engine_from_filters(filters);
|
load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
|
||||||
auto enabled_count = engine->num_rules_for_ruleset(s_sample_ruleset);
|
|
||||||
|
auto enabled_count = m_engine->num_rules_for_ruleset(s_sample_ruleset);
|
||||||
ASSERT_EQ(enabled_count, filters.size());
|
ASSERT_EQ(enabled_count, filters.size());
|
||||||
|
|
||||||
auto rules_event_set = engine->event_codes_for_ruleset(s_sample_source);
|
auto rules_event_set = m_engine->event_codes_for_ruleset(s_sample_source);
|
||||||
auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
|
auto rules_event_names = libsinsp::events::event_set_to_names(rules_event_set);
|
||||||
// note: including even one generic event will cause PPME_GENERIC_E to be
|
// note: including even one generic event will cause PPME_GENERIC_E to be
|
||||||
// included in the ruleset's event codes. As such, when translating to names,
|
// included in the ruleset's event codes. As such, when translating to names,
|
||||||
@@ -164,7 +154,7 @@ TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
|
|||||||
expected_names.insert(generic_names.begin(), generic_names.end());
|
expected_names.insert(generic_names.begin(), generic_names.end());
|
||||||
ASSERT_NAMES_EQ(rules_event_names, expected_names);
|
ASSERT_NAMES_EQ(rules_event_names, expected_names);
|
||||||
|
|
||||||
auto rules_sc_set = engine->sc_codes_for_ruleset(s_sample_source);
|
auto rules_sc_set = m_engine->sc_codes_for_ruleset(s_sample_source);
|
||||||
auto rules_sc_names = libsinsp::events::sc_set_to_event_names(rules_sc_set);
|
auto rules_sc_names = libsinsp::events::sc_set_to_event_names(rules_sc_set);
|
||||||
ASSERT_NAMES_EQ(rules_sc_names, strset_t({
|
ASSERT_NAMES_EQ(rules_sc_names, strset_t({
|
||||||
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read",
|
"connect", "accept", "accept4", "umount2", "open", "ptrace", "mmap", "execve", "read",
|
||||||
@@ -172,11 +162,13 @@ TEST(ConfigureInterestingSets, engine_codes_nonsyscalls_set)
|
|||||||
}));
|
}));
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, selection_not_allevents)
|
TEST_F(test_falco_engine, selection_not_allevents)
|
||||||
{
|
{
|
||||||
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
falco::app::state s2;
|
falco::app::state s2;
|
||||||
// run app action with fake engine and without the `-A` option
|
// run app action with fake engine and without the `-A` option
|
||||||
s2.engine = mock_engine_from_filters(s_sample_filters);
|
s2.engine = m_engine;
|
||||||
s2.options.all_events = false;
|
s2.options.all_events = false;
|
||||||
|
|
||||||
ASSERT_EQ(s2.options.all_events, false);
|
ASSERT_EQ(s2.options.all_events, false);
|
||||||
@@ -217,11 +209,13 @@ TEST(ConfigureInterestingSets, selection_not_allevents)
|
|||||||
ASSERT_EQ(s2.selected_sc_set, union_set);
|
ASSERT_EQ(s2.selected_sc_set, union_set);
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, selection_allevents)
|
TEST_F(test_falco_engine, selection_allevents)
|
||||||
{
|
{
|
||||||
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
falco::app::state s3;
|
falco::app::state s3;
|
||||||
// run app action with fake engine and with the `-A` option
|
// run app action with fake engine and with the `-A` option
|
||||||
s3.engine = mock_engine_from_filters(s_sample_filters);
|
s3.engine = m_engine;
|
||||||
s3.options.all_events = true;
|
s3.options.all_events = true;
|
||||||
auto result = falco::app::actions::configure_interesting_sets(s3);
|
auto result = falco::app::actions::configure_interesting_sets(s3);
|
||||||
ASSERT_TRUE(result.success);
|
ASSERT_TRUE(result.success);
|
||||||
@@ -250,14 +244,15 @@ TEST(ConfigureInterestingSets, selection_allevents)
|
|||||||
ASSERT_EQ(s3.selected_sc_set, union_set);
|
ASSERT_EQ(s3.selected_sc_set, union_set);
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, selection_generic_evts)
|
TEST_F(test_falco_engine, selection_generic_evts)
|
||||||
{
|
{
|
||||||
falco::app::state s4;
|
falco::app::state s4;
|
||||||
// run app action with fake engine and without the `-A` option
|
// run app action with fake engine and without the `-A` option
|
||||||
s4.options.all_events = false;
|
s4.options.all_events = false;
|
||||||
auto filters = s_sample_filters;
|
auto filters = s_sample_filters;
|
||||||
filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
|
filters.insert(s_sample_generic_filters.begin(), s_sample_generic_filters.end());
|
||||||
s4.engine = mock_engine_from_filters(filters);
|
load_rules(ruleset_from_filters(filters), "dummy_ruleset.yaml");
|
||||||
|
s4.engine = m_engine;
|
||||||
auto result = falco::app::actions::configure_interesting_sets(s4);
|
auto result = falco::app::actions::configure_interesting_sets(s4);
|
||||||
ASSERT_TRUE(result.success);
|
ASSERT_TRUE(result.success);
|
||||||
ASSERT_EQ(result.errstr, "");
|
ASSERT_EQ(result.errstr, "");
|
||||||
@@ -282,12 +277,14 @@ TEST(ConfigureInterestingSets, selection_generic_evts)
|
|||||||
// (either default or custom positive set)
|
// (either default or custom positive set)
|
||||||
// - events in the custom negative set are removed from the selected set
|
// - events in the custom negative set are removed from the selected set
|
||||||
// - if `-A` is not set, events from the IO set are removed from the selected set
|
// - if `-A` is not set, events from the IO set are removed from the selected set
|
||||||
TEST(ConfigureInterestingSets, selection_custom_base_set)
|
TEST_F(test_falco_engine, selection_custom_base_set)
|
||||||
{
|
{
|
||||||
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
falco::app::state s5;
|
falco::app::state s5;
|
||||||
// run app action with fake engine and without the `-A` option
|
// run app action with fake engine and without the `-A` option
|
||||||
s5.options.all_events = true;
|
s5.options.all_events = true;
|
||||||
s5.engine = mock_engine_from_filters(s_sample_filters);
|
s5.engine = m_engine;
|
||||||
auto default_base_set = libsinsp::events::sinsp_state_sc_set();
|
auto default_base_set = libsinsp::events::sinsp_state_sc_set();
|
||||||
|
|
||||||
// non-empty custom base set (both positive and negative)
|
// non-empty custom base set (both positive and negative)
|
||||||
@@ -365,12 +362,14 @@ TEST(ConfigureInterestingSets, selection_custom_base_set)
|
|||||||
ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
|
ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, selection_custom_base_set_repair)
|
TEST_F(test_falco_engine, selection_custom_base_set_repair)
|
||||||
{
|
{
|
||||||
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
falco::app::state s6;
|
falco::app::state s6;
|
||||||
// run app action with fake engine and without the `-A` option
|
// run app action with fake engine and without the `-A` option
|
||||||
s6.options.all_events = false;
|
s6.options.all_events = false;
|
||||||
s6.engine = mock_engine_from_filters(s_sample_filters);
|
s6.engine = m_engine;
|
||||||
|
|
||||||
// note: here we use file syscalls (e.g. open, openat) and have a custom
|
// note: here we use file syscalls (e.g. open, openat) and have a custom
|
||||||
// positive set, so we expect syscalls such as "close" to be selected as
|
// positive set, so we expect syscalls such as "close" to be selected as
|
||||||
@@ -393,12 +392,14 @@ TEST(ConfigureInterestingSets, selection_custom_base_set_repair)
|
|||||||
ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
|
ASSERT_NAMES_NOCONTAIN(selected_sc_names, unexpected_sc_names);
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(ConfigureInterestingSets, selection_empty_custom_base_set_repair)
|
TEST_F(test_falco_engine, selection_empty_custom_base_set_repair)
|
||||||
{
|
{
|
||||||
|
load_rules(ruleset_from_filters(s_sample_filters), "dummy_ruleset.yaml");
|
||||||
|
|
||||||
falco::app::state s7;
|
falco::app::state s7;
|
||||||
// run app action with fake engine and with the `-A` option
|
// run app action with fake engine and with the `-A` option
|
||||||
s7.options.all_events = true;
|
s7.options.all_events = true;
|
||||||
s7.engine = mock_engine_from_filters(s_sample_filters);
|
s7.engine = m_engine;
|
||||||
|
|
||||||
// simulate empty custom set but repair option set.
|
// simulate empty custom set but repair option set.
|
||||||
s7.config->m_base_syscalls_custom_set = {};
|
s7.config->m_base_syscalls_custom_set = {};
|
||||||
|
|||||||
@@ -16,7 +16,7 @@ protected:
|
|||||||
|
|
||||||
// create a falco engine ready to load the ruleset
|
// create a falco engine ready to load the ruleset
|
||||||
m_inspector.reset(new sinsp());
|
m_inspector.reset(new sinsp());
|
||||||
m_engine.reset(new falco_engine());
|
m_engine = std::make_shared<falco_engine>();
|
||||||
m_filter_factory = std::shared_ptr<sinsp_filter_factory>(
|
m_filter_factory = std::shared_ptr<sinsp_filter_factory>(
|
||||||
new sinsp_filter_factory(m_inspector.get(), m_filterlist));
|
new sinsp_filter_factory(m_inspector.get(), m_filterlist));
|
||||||
m_formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
|
m_formatter_factory = std::shared_ptr<sinsp_evt_formatter_factory>(
|
||||||
@@ -111,7 +111,7 @@ protected:
|
|||||||
sinsp_filter_check_list m_filterlist;
|
sinsp_filter_check_list m_filterlist;
|
||||||
std::shared_ptr<sinsp_filter_factory> m_filter_factory;
|
std::shared_ptr<sinsp_filter_factory> m_filter_factory;
|
||||||
std::shared_ptr<sinsp_evt_formatter_factory> m_formatter_factory;
|
std::shared_ptr<sinsp_evt_formatter_factory> m_formatter_factory;
|
||||||
std::unique_ptr<falco_engine> m_engine;
|
std::shared_ptr<falco_engine> m_engine;
|
||||||
std::unique_ptr<falco::load_result> m_load_result;
|
std::unique_ptr<falco::load_result> m_load_result;
|
||||||
std::string m_load_result_string;
|
std::string m_load_result_string;
|
||||||
nlohmann::json m_load_result_json;
|
nlohmann::json m_load_result_json;
|
||||||
|
|||||||
Reference in New Issue
Block a user