From 74cf752d1b1113ee89eb0f10cb0724a5dff03d43 Mon Sep 17 00:00:00 2001 From: t0x01 Date: Wed, 5 Feb 2025 19:31:44 +0400 Subject: [PATCH] tests:filters: Add test for ancestor binary export filter Add TestAncestorBinaryRegexFilter test to pkg/filters to ensure that new ancestor binary export filter works as expected. Signed-off-by: t0x01 --- pkg/filters/binary_regex_test.go | 86 ++++++++++++++++++++++++++++++++ pkg/filters/filters_test.go | 1 + 2 files changed, 87 insertions(+) diff --git a/pkg/filters/binary_regex_test.go b/pkg/filters/binary_regex_test.go index 35a8fc41d80..952ba679dca 100644 --- a/pkg/filters/binary_regex_test.go +++ b/pkg/filters/binary_regex_test.go @@ -201,3 +201,89 @@ func TestParentBinaryRegexFilter(t *testing.T) { } assert.True(t, fl.MatchOne(&ev)) } + +func TestAncestorBinaryRegexFilter(t *testing.T) { + f := []*tetragon.Filter{{ + EventSet: []tetragon.EventType{tetragon.EventType_PROCESS_EXEC, tetragon.EventType_PROCESS_EXIT}, + AncestorBinaryRegex: []string{"bash", "zsh"}, + }} + fl, err := BuildFilterList(context.Background(), f, []OnBuildFilter{&AncestorBinaryRegexFilter{}}) + assert.NoError(t, err) + ev := v1.Event{ + Event: &tetragon.GetEventsResponse{ + Event: &tetragon.GetEventsResponse_ProcessExec{ + ProcessExec: &tetragon.ProcessExec{ + Process: &tetragon.Process{Binary: "/sbin/iptables"}, + }, + }, + }, + } + assert.False(t, fl.MatchOne(&ev)) + ev = v1.Event{ + Event: &tetragon.GetEventsResponse{ + Event: &tetragon.GetEventsResponse_ProcessExec{ + ProcessExec: &tetragon.ProcessExec{ + Parent: &tetragon.Process{Binary: "/bin/foo"}, + Process: &tetragon.Process{Binary: "/sbin/bash"}, + }, + }, + }, + } + assert.False(t, fl.MatchOne(&ev)) + ev = v1.Event{ + Event: &tetragon.GetEventsResponse{ + Event: &tetragon.GetEventsResponse_ProcessExec{ + ProcessExec: &tetragon.ProcessExec{ + Parent: &tetragon.Process{Binary: "/bin/bash"}, + Process: &tetragon.Process{Binary: "/sbin/iptables"}, + }, + }, + }, + } + assert.False(t, fl.MatchOne(&ev)) + ev = v1.Event{ + Event: &tetragon.GetEventsResponse{ + Event: &tetragon.GetEventsResponse_ProcessExec{ + ProcessExec: &tetragon.ProcessExec{ + Parent: &tetragon.Process{Binary: "/bin/bash"}, + Process: &tetragon.Process{Binary: "/sbin/iptables"}, + Ancestors: []*tetragon.Process{ + &tetragon.Process{Binary: "/bin/foo"}, + &tetragon.Process{Binary: "/bin/bar"}, + }, + }, + }, + }, + } + assert.False(t, fl.MatchOne(&ev)) + ev = v1.Event{ + Event: &tetragon.GetEventsResponse{ + Event: &tetragon.GetEventsResponse_ProcessExec{ + ProcessExec: &tetragon.ProcessExec{ + Parent: &tetragon.Process{Binary: "/bin/sh"}, + Process: &tetragon.Process{Binary: "/sbin/iptables"}, + Ancestors: []*tetragon.Process{ + &tetragon.Process{Binary: "/bin/foo"}, + &tetragon.Process{Binary: "/bin/bash"}, + }, + }, + }, + }, + } + assert.True(t, fl.MatchOne(&ev)) + ev = v1.Event{ + Event: &tetragon.GetEventsResponse{ + Event: &tetragon.GetEventsResponse_ProcessExec{ + ProcessExec: &tetragon.ProcessExec{ + Parent: &tetragon.Process{Binary: "/bin/sh"}, + Process: &tetragon.Process{Binary: "/sbin/iptables"}, + Ancestors: []*tetragon.Process{ + &tetragon.Process{Binary: "/bin/zsh"}, + &tetragon.Process{Binary: "/bin/foo"}, + }, + }, + }, + }, + } + assert.True(t, fl.MatchOne(&ev)) +} diff --git a/pkg/filters/filters_test.go b/pkg/filters/filters_test.go index 2d903403dc4..a8542fee575 100644 --- a/pkg/filters/filters_test.go +++ b/pkg/filters/filters_test.go @@ -20,6 +20,7 @@ import ( func TestMain(m *testing.M) { // Needed for cap filters option.Config.EnableProcessCred = true + option.Config.EnableProcessAncestors = true code := m.Run() os.Exit(code)