update(anomalydetection): unit tests for proc lineage + add filterche…

…cks 1/n Signed-off-by: Melissa Kilby <[email protected]>
falcosecurity · Jul 9, 2024 · 34ab66e · 34ab66e
1 parent c33be5b
commit 34ab66e
Show file tree

Hide file tree

Showing 3 changed files with 227 additions and 155 deletions.
diff --git a/plugins/anomalydetection/src/plugin.cpp b/plugins/anomalydetection/src/plugin.cpp
@@ -384,36 +384,36 @@ bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, co
             break;
         }
         case plugin_sinsp_filterchecks::TYPE_ANAME:
+        {
+            // todo: check implications of main thread as it's part of the libs implementation
+            if(field.argid < 1)
             {
-                // todo: check implications of main thread as it's part of the libs implementation
-                if(field.argid < 1)
-                {
-                    m_comm.read_value(tr, thread_entry, tstr);
-                    break;
-                }
-                m_ptid.read_value(tr, thread_entry, ptid);
-                for(uint32_t j = 0; j < field.argid; j++)
+                m_comm.read_value(tr, thread_entry, tstr);
+                break;
+            }
+            m_ptid.read_value(tr, thread_entry, ptid);
+            for(uint32_t j = 0; j < field.argid; j++)
+            {
+                try
                 {
-                    try
+                    auto lineage = m_thread_table.get_entry(tr, ptid);
+                    if(j == (field.argid - 1))
                     {
-                        auto lineage = m_thread_table.get_entry(tr, ptid);
-                        if(j == (field.argid - 1))
-                        {
-                            m_comm.read_value(tr, lineage, tstr);
-                            break;
-                        }
-                        if(ptid == 1)
-                        {
-                            break;
-                        }
-                        m_ptid.read_value(tr, lineage, ptid);
+                        m_comm.read_value(tr, lineage, tstr);
+                        break;
                     }
-                    catch(const std::exception& e)
+                    if(ptid == 1)
                     {
+                        break;
                     }
+                    m_ptid.read_value(tr, lineage, ptid);
+                }
+                catch(const std::exception& e)
+                {
                 }
-                break;
             }
+            break;
+        }
         case plugin_sinsp_filterchecks::TYPE_ARGS:
         {
             const char* arg = nullptr;
@@ -434,6 +434,48 @@ bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, co
                 });
             break;
         }
+        case plugin_sinsp_filterchecks::TYPE_CMDLINE:
+        {
+            m_comm.read_value(tr, thread_entry, tstr);
+            const char* arg = nullptr;
+            auto args_table = m_thread_table.get_subtable(tr, m_args, thread_entry, st::SS_PLUGIN_ST_INT64);
+            args_table.iterate_entries(tr, [this, &tr, &arg, &tstr](const falcosecurity::table_entry& e)
+                {
+                    arg = nullptr;
+                    m_args_value.read_value(tr, e, arg);
+                    if (!tstr.empty())
+                    {
+                        tstr += " ";
+                    }
+                    if (arg)
+                    {
+                        tstr += arg;
+                    }
+                    return true;
+                });
+            break;
+        }
+        case plugin_sinsp_filterchecks::TYPE_EXELINE:
+        {
+            m_exe.read_value(tr, thread_entry, tstr);
+            const char* arg = nullptr;
+            auto args_table = m_thread_table.get_subtable(tr, m_args, thread_entry, st::SS_PLUGIN_ST_INT64);
+            args_table.iterate_entries(tr, [this, &tr, &arg, &tstr](const falcosecurity::table_entry& e)
+                {
+                    arg = nullptr;
+                    m_args_value.read_value(tr, e, arg);
+                    if (!tstr.empty())
+                    {
+                        tstr += " ";
+                    }
+                    if (arg)
+                    {
+                        tstr += arg;
+                    }
+                    return true;
+                });
+            break;
+        }
         case plugin_sinsp_filterchecks::TYPE_EXE:
             m_exe.read_value(tr, thread_entry, tstr);
             break;
@@ -445,35 +487,35 @@ bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, co
             break;
         }
         case plugin_sinsp_filterchecks::TYPE_AEXE:
+        {
+            if(field.argid < 1)
             {
-                if(field.argid < 1)
-                {
-                    m_exe.read_value(tr, thread_entry, tstr);
-                    break;
-                }
-                m_ptid.read_value(tr, thread_entry, ptid);
-                for(uint32_t j = 0; j < field.argid; j++)
+                m_exe.read_value(tr, thread_entry, tstr);
+                break;
+            }
+            m_ptid.read_value(tr, thread_entry, ptid);
+            for(uint32_t j = 0; j < field.argid; j++)
+            {
+                try
                 {
-                    try
+                    auto lineage = m_thread_table.get_entry(tr, ptid);
+                    if(j == (field.argid - 1))
                     {
-                        auto lineage = m_thread_table.get_entry(tr, ptid);
-                        if(j == (field.argid - 1))
-                        {
-                            m_exe.read_value(tr, lineage, tstr);
-                            break;
-                        }
-                        if(ptid == 1)
-                        {
-                            break;
-                        }
-                        m_ptid.read_value(tr, lineage, ptid);
+                        m_exe.read_value(tr, lineage, tstr);
+                        break;
                     }
-                    catch(const std::exception& e)
+                    if(ptid == 1)
                     {
+                        break;
                     }
+                    m_ptid.read_value(tr, lineage, ptid);
+                }
+                catch(const std::exception& e)
+                {
                 }
-                break;
             }
+            break;
+        }
         case plugin_sinsp_filterchecks::TYPE_EXEPATH:
             m_exepath.read_value(tr, thread_entry, tstr);
             break;
@@ -485,35 +527,35 @@ bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, co
             break;
         }
         case plugin_sinsp_filterchecks::TYPE_AEXEPATH:
+        {
+            if(field.argid < 1)
             {
-                if(field.argid < 1)
-                {
-                    m_exepath.read_value(tr, thread_entry, tstr);
-                    break;
-                }
-                m_ptid.read_value(tr, thread_entry, ptid);
-                for(uint32_t j = 0; j < field.argid; j++)
+                m_exepath.read_value(tr, thread_entry, tstr);
+                break;
+            }
+            m_ptid.read_value(tr, thread_entry, ptid);
+            for(uint32_t j = 0; j < field.argid; j++)
+            {
+                try
                 {
-                    try
+                    auto lineage = m_thread_table.get_entry(tr, ptid);
+                    if(j == (field.argid - 1))
                     {
-                        auto lineage = m_thread_table.get_entry(tr, ptid);
-                        if(j == (field.argid - 1))
-                        {
-                            m_exepath.read_value(tr, lineage, tstr);
-                            break;
-                        }
-                        if(ptid == 1)
-                        {
-                            break;
-                        }
-                        m_ptid.read_value(tr, lineage, ptid);
+                        m_exepath.read_value(tr, lineage, tstr);
+                        break;
                     }
-                    catch(const std::exception& e)
+                    if(ptid == 1)
                     {
+                        break;
                     }
+                    m_ptid.read_value(tr, lineage, ptid);
+                }
+                catch(const std::exception& e)
+                {
                 }
-                break;
             }
+            break;
+        }
         case plugin_sinsp_filterchecks::TYPE_CWD:
             m_cwd.read_value(tr, thread_entry, tstr);
             break;
@@ -534,35 +576,37 @@ bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, co
                 break;
             }
         case plugin_sinsp_filterchecks::TYPE_APID:
+        {
+            if(field.argid < 1)
             {
-                if(field.argid < 1)
-                {
-                    m_pid.read_value(tr, thread_entry, tint64);
-                    break;
-                }
-                m_ptid.read_value(tr, thread_entry, ptid);
-                for(uint32_t j = 0; j < field.argid; j++)
+                m_pid.read_value(tr, thread_entry, tint64);
+                tstr = std::to_string(tint64);
+                break;
+            }
+            m_ptid.read_value(tr, thread_entry, ptid);
+            for(uint32_t j = 0; j < field.argid; j++)
+            {
+                try
                 {
-                    try
+                    auto lineage = m_thread_table.get_entry(tr, ptid);
+                    if(j == (field.argid - 1))
                     {
-                        auto lineage = m_thread_table.get_entry(tr, ptid);
-                        if(j == (field.argid - 1))
-                        {
-                            m_pid.read_value(tr, lineage, tint64);
-                            break;
-                        }
-                        if(ptid == 1)
-                        {
-                            break;
-                        }
-                        m_ptid.read_value(tr, lineage, ptid);
+                        m_pid.read_value(tr, lineage, tint64);
+                        tstr = std::to_string(tint64);
+                        break;
                     }
-                    catch(const std::exception& e)
+                    if(ptid == 1)
                     {
+                        break;
                     }
+                    m_ptid.read_value(tr, lineage, ptid);
+                }
+                catch(const std::exception& e)
+                {
                 }
-                break;
             }
+            break;
+        }
         case plugin_sinsp_filterchecks::TYPE_VPID:
             m_vpid.read_value(tr, thread_entry, tint64);
             tstr = std::to_string(tint64);
@@ -581,65 +625,65 @@ bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, co
             break;
         // todo better unit tests and double check the parent lineage traversal fields in general
         case plugin_sinsp_filterchecks::TYPE_SNAME:
+        {
+            int64_t sid;
+            m_sid.read_value(tr, thread_entry, sid);
+            m_ptid.read_value(tr, thread_entry, ptid);
+            falcosecurity::table_entry last_entry(nullptr, nullptr, nullptr);
+            falcosecurity::table_entry* leader = &thread_entry;
+            for(uint32_t j = 0; j < 9; j++)
             {
-                int64_t sid;
-                m_sid.read_value(tr, thread_entry, sid);
-                m_ptid.read_value(tr, thread_entry, ptid);
-                falcosecurity::table_entry last_entry(nullptr, nullptr, nullptr);
-                falcosecurity::table_entry* leader = &thread_entry;
-                for(uint32_t j = 0; j < 9; j++)
+                try
                 {
-                    try
-                    {
-                        auto lineage = m_thread_table.get_entry(tr, ptid);
-                        m_sid.read_value(tr, lineage, tint64);
-                        if(sid != tint64)
-                        {
-                            break;
-                        }
-                        m_ptid.read_value(tr, lineage, ptid);
-                        last_entry = std::move(lineage);
-                        leader = &last_entry;
-                    }
-                    catch(const std::exception& e)
+                    auto lineage = m_thread_table.get_entry(tr, ptid);
+                    m_sid.read_value(tr, lineage, tint64);
+                    if(sid != tint64)
                     {
+                        break;
                     }
+                    m_ptid.read_value(tr, lineage, ptid);
+                    last_entry = std::move(lineage);
+                    leader = &last_entry;
+                }
+                catch(const std::exception& e)
+                {
                 }
-                m_comm.read_value(tr, *leader, tstr);
-                break;
             }
+            m_comm.read_value(tr, *leader, tstr);
+            break;
+        }
         case plugin_sinsp_filterchecks::TYPE_VPGID:
             m_vpgid.read_value(tr, thread_entry, tint64);
             tstr = std::to_string(tint64);
             break;
         case plugin_sinsp_filterchecks::TYPE_VPGID_NAME:
+        {
+            int64_t vpgid;
+            m_vpgid.read_value(tr, thread_entry, vpgid);
+            m_ptid.read_value(tr, thread_entry, ptid);
+            falcosecurity::table_entry last_entry(nullptr, nullptr, nullptr);
+            falcosecurity::table_entry* leader = &thread_entry;
+            for(uint32_t j = 0; j < 5; j++)
             {
-                int64_t vpgid;
-                m_vpgid.read_value(tr, thread_entry, vpgid);
-                m_ptid.read_value(tr, thread_entry, ptid);
-                falcosecurity::table_entry last_entry(nullptr, nullptr, nullptr);
-                falcosecurity::table_entry* leader = &thread_entry;
-                for(uint32_t j = 0; j < 5; j++)
+                try
                 {
-                    try
-                    {
-                        auto lineage = m_thread_table.get_entry(tr, ptid);
-                        m_vpgid.read_value(tr, lineage, tint64);
-                        if(vpgid != tint64)
-                        {
-                            break;
-                        }
-                        m_ptid.read_value(tr, lineage, ptid);
-                        last_entry = std::move(lineage);
-                        leader = &last_entry;
-                    }
-                    catch(const std::exception& e)
+                    auto lineage = m_thread_table.get_entry(tr, ptid);
+                    m_vpgid.read_value(tr, lineage, tint64);
+                    if(vpgid != tint64)
                     {
+                        break;
                     }
+                    m_ptid.read_value(tr, lineage, ptid);
+                    last_entry = std::move(lineage);
+                    leader = &last_entry;
+                }
+                catch(const std::exception& e)
+                {
                 }
-                m_comm.read_value(tr, *leader, tstr);
-                break;
             }
+            m_comm.read_value(tr, *leader, tstr);
+            break;
+        }
         default:
             break;
         }

diff --git a/plugins/anomalydetection/test/include/test_helpers.h b/plugins/anomalydetection/test/include/test_helpers.h
@@ -15,7 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-#define INIT_CONFIG "{\"count_min_sketch\":{\"enabled\":true,\"n_sketches\":3,\"gamma_eps\":[[0.001,0.0001],[0.001,0.0001],[0.001,0.0001]],\"behavior_profiles\":[{\"fields\":\"%container.id %proc.name %proc.aname[1] %proc.aname[2] %proc.aname[3] %proc.exepath %proc.pexepath %proc.aexepath[2] %proc.tty %proc.vpgid.name %proc.sname %proc.pid %proc.ppid %proc.sid %proc.vpgid %proc.vpid %proc.pvid %proc.apid[1]\",\"event_codes\":[293,331]},{\"fields\":\"%container.id %proc.name %proc.aname[1] %proc.aname[2] %proc.aname[3] %proc.exepath %proc.tty %proc.vpgid.name %proc.sname %fd.name\",\"event_codes\":[3,307,327]},{\"fields\":\"%container.id %proc.args\",\"event_codes\":[293,331]}]}}"
+#define INIT_CONFIG "{\"count_min_sketch\":{\"enabled\":true,\"n_sketches\":3,\"gamma_eps\":[[0.001,0.0001],[0.001,0.0001],[0.001,0.0001]],\"behavior_profiles\":[{\"fields\":\"%container.id %proc.name %proc.pname %proc.exepath %proc.pexepath %proc.tty %proc.vpid %proc.pvid]\",\"event_codes\":[293,331]},{\"fields\":\"%container.id %proc.name %proc.aname[1] %proc.aname[2] %proc.aname[3] %proc.exepath %proc.tty %proc.vpgid.name %proc.sname %fd.name\",\"event_codes\":[3,307,327]},{\"fields\":\"%container.id %proc.cmdline %proc.name %proc.aname[0] %proc.aname[1] %proc.aname[2] %proc.aname[3] %proc.aname[4] %proc.aname[5] %proc.aname[6] %proc.aname[7] %proc.pid %proc.apid[0] %proc.apid[1] %proc.apid[2] %proc.apid[3] %proc.apid[4] %proc.apid[5] %proc.apid[6] %proc.apid[7] %proc.exepath %proc.aexepath[0] %proc.aexepath[1] %proc.aexepath[2] %proc.aexepath[3] %proc.aexepath[4] %proc.aexepath[5] %proc.aexepath[6] %proc.aexepath[7] %proc.vpgid %proc.vpgid.name %proc.sid %proc.sname\",\"event_codes\":[293,331]}]}}"
 
 #define ASSERT_PLUGIN_INITIALIZATION(p_o, p_l)                                 \
     {                                                                          \