From 6eb42667eed2a13ab7dd928c29aa20190fa39fe1 Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Fri, 26 Apr 2024 12:00:08 +0200
Subject: [PATCH 1/2] fix: update `TestFalco_Legacy_FalcoEventGenerator`

After this PR https://github.com/falcosecurity/libs/pull/1765 we are now
able to correctly retrieve again user name info. For this reason we need
to update the triggered rules

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 tests/data/rules/legacy.go | 28 ++++++++++++++--------------
 tests/falco/legacy_test.go |  4 ++--
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/tests/data/rules/legacy.go b/tests/data/rules/legacy.go
index 1793f25..c02035a 100644
--- a/tests/data/rules/legacy.go
+++ b/tests/data/rules/legacy.go
@@ -92,7 +92,7 @@ var LegacyFalcoRules_v1_0_1 = run.NewStringFileAccessor(
     # on the identity of the process performing an action such as opening
     # a file, etc., we require that the process name be known.
     - macro: proc_name_exists
-      condition: (proc.name!="<NA>")
+      condition: (not proc.name in ("<NA>","N/A"))
     
     - macro: rename
       condition: (evt.type in (rename, renameat, renameat2))
@@ -2019,18 +2019,18 @@ var LegacyFalcoRules_v1_0_1 = run.NewStringFileAccessor(
     # below /etc as well, but the globbing mechanism
     # doesn't allow exclusions of a full pattern, only single characters.
     - macro: sensitive_mount
-      condition: (container.mount.dest[/proc*] != "N/A" or
-                  container.mount.dest[/var/run/docker.sock] != "N/A" or
-                  container.mount.dest[/var/run/crio/crio.sock] != "N/A" or
-                  container.mount.dest[/run/containerd/containerd.sock] != "N/A" or
-                  container.mount.dest[/var/lib/kubelet] != "N/A" or
-                  container.mount.dest[/var/lib/kubelet/pki] != "N/A" or
-                  container.mount.dest[/] != "N/A" or
-                  container.mount.dest[/home/admin] != "N/A" or
-                  container.mount.dest[/etc] != "N/A" or
-                  container.mount.dest[/etc/kubernetes] != "N/A" or
-                  container.mount.dest[/etc/kubernetes/manifests] != "N/A" or
-                  container.mount.dest[/root*] != "N/A")
+      condition: (not container.mount.dest[/proc*] in ("<NA>","N/A") or
+        not container.mount.dest[/var/run/docker.sock] in ("<NA>","N/A") or
+        not container.mount.dest[/var/run/crio/crio.sock] in ("<NA>","N/A") or
+        not container.mount.dest[/run/containerd/containerd.sock] in ("<NA>","N/A") or
+        not container.mount.dest[/var/lib/kubelet] in ("<NA>","N/A") or
+        not container.mount.dest[/var/lib/kubelet/pki] in ("<NA>","N/A") or
+        not container.mount.dest[/] in ("<NA>","N/A") or
+        not container.mount.dest[/home/admin] in ("<NA>","N/A") or
+        not container.mount.dest[/etc] in ("<NA>","N/A") or
+        not container.mount.dest[/etc/kubernetes] in ("<NA>","N/A") or
+        not container.mount.dest[/etc/kubernetes/manifests] in ("<NA>","N/A") or
+        not container.mount.dest[/root*] in ("<NA>","N/A"))
     
     # The steps libcontainer performs to set up the root program for a container are:
     # - clone + exec self to a program runc:[0:PARENT]
@@ -2319,7 +2319,7 @@ var LegacyFalcoRules_v1_0_1 = run.NewStringFileAccessor(
     # https://github.com/draios/sysdig/issues/954). So in that case, allow
     # a setuid.
     - macro: known_user_in_container
-      condition: (container and user.name != "N/A")
+      condition: (container and not user.name in ("<NA>","N/A"))
     
     # Add conditions to this macro (probably in a separate file,
     # overwriting this macro) to allow for specific combinations of
diff --git a/tests/falco/legacy_test.go b/tests/falco/legacy_test.go
index 62a7434..1a5c823 100644
--- a/tests/falco/legacy_test.go
+++ b/tests/falco/legacy_test.go
@@ -2695,9 +2695,9 @@ func TestFalco_Legacy_FalcoEventGenerator(t *testing.T) {
 	assert.Equal(t, 1, res.Detections().OfRule("Write below etc").Count())
 	assert.Equal(t, 1, res.Detections().OfRule("System procs network activity").Count())
 	assert.Equal(t, 1, res.Detections().OfRule("Mkdir binary dirs").Count())
-	assert.Equal(t, 0, res.Detections().OfRule("System user interactive").Count())
+	assert.Equal(t, 1, res.Detections().OfRule("System user interactive").Count())
 	assert.Equal(t, 1, res.Detections().OfRule("DB program spawned process").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Non sudo setuid").Count())
+	assert.Equal(t, 0, res.Detections().OfRule("Non sudo setuid").Count())
 	assert.Equal(t, 1, res.Detections().OfRule("Create files below dev").Count())
 	assert.Equal(t, 2, res.Detections().OfRule("Modify binary dirs").Count())
 	assert.Equal(t, 0, res.Detections().OfRule("Change thread namespace").Count())

From 9c2839229b6ca63f02865ec2d7b927b6ba664de3 Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Fri, 26 Apr 2024 12:52:35 +0200
Subject: [PATCH 2/2] cleanup: remove a duplicated test

Same assertions of `TestFalco_Legacy_FalcoEventGenerator`

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 tests/falco/legacy_test.go | 30 ------------------------------
 1 file changed, 30 deletions(-)

diff --git a/tests/falco/legacy_test.go b/tests/falco/legacy_test.go
index 1a5c823..1905f9b 100644
--- a/tests/falco/legacy_test.go
+++ b/tests/falco/legacy_test.go
@@ -2724,36 +2724,6 @@ func TestFalco_Legacy_SystemUserInteractive(t *testing.T) {
 	assert.Equal(t, 0, res.ExitCode())
 }
 
-func TestFalco_Legacy_DetectCounts(t *testing.T) {
-	t.Parallel()
-	checkConfig(t)
-	res := falco.Test(
-		tests.NewFalcoExecutableRunner(t),
-		falco.WithOutputJSON(),
-		falco.WithRules(rules.LegacyFalcoRules_v1_0_1),
-		falco.WithCaptureFile(captures.TracesPositiveFalcoEventGenerator),
-		falco.WithArgs("-o", "json_include_output_property=false"),
-		falco.WithArgs("-o", "json_include_tags_property=false"),
-	)
-	assert.NotZero(t, res.Detections().Count())
-	assert.NotZero(t, res.Detections().OfPriority("WARNING").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Write below binary dir").Count())
-	assert.Equal(t, 3, res.Detections().OfRule("Read sensitive file untrusted").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Run shell untrusted").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Write below rpm database").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Write below etc").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("System procs network activity").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Mkdir binary dirs").Count())
-	assert.Equal(t, 0, res.Detections().OfRule("System user interactive").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("DB program spawned process").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Non sudo setuid").Count())
-	assert.Equal(t, 1, res.Detections().OfRule("Create files below dev").Count())
-	assert.Equal(t, 2, res.Detections().OfRule("Modify binary dirs").Count())
-	assert.Equal(t, 0, res.Detections().OfRule("Change thread namespace").Count())
-	assert.NoError(t, res.Err(), "%s", res.Stderr())
-	assert.Equal(t, 0, res.ExitCode())
-}
-
 func TestFalco_Legacy_RuleNamesWithRegexChars(t *testing.T) {
 	t.Parallel()
 	checkConfig(t)