Ensure falco-event-generator actions are detected.

A new trace file falco-event-generator.scap contains the result of running the falco event generator in docker, via: docker run --security-opt seccomp=unconfined sysdig/falco-event-generator:latest /usr/local/bin/event_generator --once Make sure this trace file detects the exact set of events we expect for each rule. This required adding a new verification method check_detections_by_rule that finds the per-rule counts and compares them to the expected counts, which are included in the test description under the key "detect_counts". This is the first time a trace file for a test is actually in one of the downloaded zip files. This means it will be tested twice (one for simple detect-or-not, once for actual counts). Adding this test showed a problem with Run shell in container rule--since sysdig/falco-event-generator startswith sysdig/falco, it was being treated as a trusted container. Modify the macro trusted_containers to not allow falco-event-generator to be trusted.
2025-08-31 14:20:04 +00:00 · 2017-02-01 14:55:45 -08:00
parent 6356490b1c
commit e0a5034a43
3 changed files with 50 additions and 1 deletions
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -345,7 +345,8 @@

 - macro: trusted_containers
  condition: (container.image startswith sysdig/agent or
-              container.image startswith sysdig/falco or
+              (container.image startswith sysdig/falco and
+               not container.image startswith sysdig/falco-event-generator) or
              container.image startswith sysdig/sysdig or
              container.image startswith gcr.io/google_containers/hyperkube or
              container.image startswith gcr.io/google_containers/kube-proxy)
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -56,6 +56,16 @@ class FalcoTest(Test):
        for rule in self.disabled_rules:
            self.disabled_args = self.disabled_args + "-D " + rule + " "

+        self.detect_counts = self.params.get('detect_counts', '*', default=False)
+        if self.detect_counts == False:
+            self.detect_counts = {}
+        else:
+            detect_counts = {}
+            for item in self.detect_counts:
+                for item2 in item:
+                    detect_counts[item2[0]] = item2[1]
+            self.detect_counts = detect_counts
+
        self.rules_warning = self.params.get('rules_warning', '*', default=False)
        if self.rules_warning == False:
            self.rules_warning = sets.Set()
@@ -161,6 +171,23 @@ class FalcoTest(Test):
                    if not events_detected > 0:
                        self.fail("Detected {} events at level {} when should have detected > 0".format(events_detected, level))

+    def check_detections_by_rule(self, res):
+        # Get the number of events detected for each rule. Must match the expected counts.
+        match = re.search('Triggered rules by rule name:(.*)', res.stdout, re.DOTALL)
+        if match is None:
+            self.fail("Could not find a block 'Triggered rules by rule name: ...' in falco output")
+
+        triggered_rules = match.group(1)
+
+        for rule, count in self.detect_counts.iteritems():
+            expected_line = '{}: {}'.format(rule, count)
+            match = re.search(expected_line, triggered_rules)
+
+            if match is None:
+                self.fail("Could not find a line '{}' in triggered rule counts '{}'".format(expected_line, triggered_rules))
+            else:
+                self.log.debug("Found expected count for {}: {}".format(rule, match.group()))
+
    def check_outputs(self):
        for output in self.outputs:
            # Open the provided file and match each line against the
@@ -222,6 +249,8 @@ class FalcoTest(Test):
        if len(self.rules_events) > 0:
            self.check_rules_events(res)
        self.check_detections(res)
+        if len(self.detect_counts) > 0:
+            self.check_detections_by_rule(res)
        self.check_json_output(res)
        self.check_outputs()
        pass
--- a/test/falco_tests.yaml.in
+++ b/test/falco_tests.yaml.in
@@ -181,3 +181,22 @@ trace_files: !mux
    trace_file: trace_files/cat_write.scap
    outputs:
      - /tmp/falco_outputs/program_output.txt: Warning An open was seen
+
+  detect_counts:
+    detect: True
+    detect_level: WARNING
+    trace_file: traces-positive/falco-event-generator.scap
+    detect_counts:
+      - "Write below binary dir": 1
+      - "Read sensitive file untrusted": 3
+      - "Run shell in container": 1
+      - "Write below rpm database": 1
+      - "Write below etc": 1
+      - "System procs network activity": 1
+      - "Mkdir binary dirs": 1
+      - "System user interactive": 1
+      - "DB program spawned process": 1
+      - "Non sudo setuid": 1
+      - "Create files below dev": 1
+      - "Modify binary dirs": 2
+      - "Change thread namespace": 2