From f7893fbd14e2a2c919eaf896a05144bf0763cadb Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Mon, 11 Oct 2021 16:24:40 -0700 Subject: [PATCH] Change expected result for old trace file with old execve event num The trace file traces-positive/run-shell-untrusted.scap has an old execve event number (PPME_SYSCALL_EXECVE_18), which was replaced by PPME_SYSCALL_EXECVE_19 in 2018. Given the changes in https://github.com/falcosecurity/libs/pull/94, these events are now skipped. So change the test to note that *no* events will be detected. As a bit of context, event numbers won't be changing any longer--a change around the same time 298fbde8029020ce3fbddd07e2910b59cc402b8b allowed for extending existing events to add new parameters instead of having to define a new event number just to add a new parameter. So the notion of "old events" should not exist for any event created after mid-to-late 2018. Signed-off-by: Mark Stemm --- test/falco_traces.yaml.in | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/test/falco_traces.yaml.in b/test/falco_traces.yaml.in index a45ab6eb..eb757808 100644 --- a/test/falco_traces.yaml.in +++ b/test/falco_traces.yaml.in @@ -111,12 +111,17 @@ traces: !mux detect_counts: - "Read sensitive file untrusted": 1 + # This should *not* generate any falco alerts as of the changes in + # https://github.com/falcosecurity/libs/pull/94--the execve event in + # this trace file is PPME_SYSCALL_EXECVE_18, which was deprecated by + # PPME_SYSCALL_EXECVE_19 in 2018. + # + # This activity in this trace file overlaps with the activity in + # falco-event-generator.scap so the rule is still being tested. run-shell-untrusted: trace_file: traces-positive/run-shell-untrusted.scap - detect: True + detect: False detect_level: DEBUG - detect_counts: - - "Run shell untrusted": 1 system-binaries-network-activity: trace_file: traces-positive/system-binaries-network-activity.scap