diff --git a/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py b/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py index e45c392227..278e6db35d 100644 --- a/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py +++ b/test/e2e/tests/test_event_generator/test_db_program_spawned_process.py @@ -53,7 +53,7 @@ def test_db_program_spawned_process(sinsp, run_containers: dict): }, { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=/bin/ls args=NULL tid=\d+\(ls\) pid=\d+\(ls\) ptid=\d+\(mysqld\) .* tty=0 pgid=1\(systemd\) loginuid=-1\(\\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=/bin/ls args=NULL tid=\d+\(ls\) pid=\d+\(ls\) ptid=\d+\(mysqld\) .* tty=0 pgid=1\(systemd\) loginuid=-1\(\\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_file_writes.py b/test/e2e/tests/test_event_generator/test_file_writes.py index 607f887342..cb148ad01f 100644 --- a/test/e2e/tests/test_event_generator/test_file_writes.py +++ b/test/e2e/tests/test_event_generator/test_file_writes.py @@ -5,7 +5,7 @@ def create_expected_arg(directory: str) -> str: - return fr'^fd=3\({re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=20742\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\) mode=0755 dev=.* ino=\d+$' + return fr'^fd=3\({re.escape(directory)}\/created-by-event-generator\) dirfd=-100\(AT_FDCWD\) name={re.escape(directory)}\/created-by-event-generator flags=86278\(O_TRUNC\|O_CREAT\|O_WRONLY\|O_CLOEXEC\|O_F_CREATED\|FD_LOWER_LAYER\) mode=0755 dev=.* ino=\d+$' def generate_ids(parameters: list) -> list: diff --git a/test/e2e/tests/test_event_generator/test_read_sensitive_file.py b/test/e2e/tests/test_event_generator/test_read_sensitive_file.py index ea68eb928d..14723992cc 100644 --- a/test/e2e/tests/test_event_generator/test_read_sensitive_file.py +++ b/test/e2e/tests/test_event_generator/test_read_sensitive_file.py @@ -55,7 +55,7 @@ def test_read_sensitive_file(sinsp, run_containers: dict, expected_process: str) expected_events = [ { - "evt.args": SinspField.regex_field(r'fd=3\(/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=4097\(O_RDONLY|O_CLOEXEC\) mode=0 dev=\W+ ino=\d+'), + "evt.args": SinspField.regex_field(r'fd=3\(/etc/shadow\) dirfd=-100\(AT_FDCWD\) name=/etc/shadow flags=69633\(O_RDONLY|O_CLOEXEC\|FD_LOWER_LAYER\) mode=0 dev=\W+ ino=\d+'), "evt.cpu": SinspField.numeric_field(), "evt.dir": "<", "evt.num": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py b/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py index ab0a8ae8d8..9f6d032c20 100644 --- a/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py +++ b/test/e2e/tests/test_event_generator/test_run_shell_untrusted.py @@ -26,7 +26,7 @@ def test_run_shell_untrusted(sinsp, run_containers: dict): expected_events = [ { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=\/tmp\/falco-event-generator\d+\/httpd args=--loglevel.info.run.\^helper.RunShell\$. tid=\d+\(httpd\) pid=\d+\(httpd\) ptid=\d+\(event-generator\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=\/tmp\/falco-event-generator\d+\/httpd args=--loglevel.info.run.\^helper.RunShell\$. tid=\d+\(httpd\) pid=\d+\(httpd\) ptid=\d+\(event-generator\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), @@ -38,7 +38,7 @@ def test_run_shell_untrusted(sinsp, run_containers: dict): }, { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=bash args=-c.ls > \/dev\/null. tid=\d+\(bash\) pid=\d+\(bash\) ptid=\d+\(httpd\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=1\(EXE_WRITABLE\) cap_inheritable=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=bash args=-c.ls > \/dev\/null. tid=\d+\(bash\) pid=\d+\(bash\) ptid=\d+\(httpd\) .* tty=0 pgid=\d+\(systemd\) loginuid=-1\(\\) flags=9\(EXE_WRITABLE\|EXE_LOWER_LAYER\) cap_inheritable=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(), diff --git a/test/e2e/tests/test_event_generator/test_system_user_interactive.py b/test/e2e/tests/test_event_generator/test_system_user_interactive.py index 723ba672f6..7993f968b9 100644 --- a/test/e2e/tests/test_event_generator/test_system_user_interactive.py +++ b/test/e2e/tests/test_event_generator/test_system_user_interactive.py @@ -27,7 +27,7 @@ def test_system_user_interactive(sinsp, run_containers: dict): expected_events = [ { "container.id": generator_id, - "evt.args": SinspField.regex_field(r'^res=0 exe=\/bin\/login args=NULL tid=\d+\(login\) pid=\d+\(login\) ptid=\d+\(event-generator\) .* pgid=\d+\(systemd\) loginuid=-1\(\\) flags=0 cap_inheritable=0 cap_permitted=0 cap_effective=0'), + "evt.args": SinspField.regex_field(r'^res=0 exe=\/bin\/login args=NULL tid=\d+\(login\) pid=\d+\(login\) ptid=\d+\(event-generator\) .* pgid=\d+\(systemd\) loginuid=-1\(\\) flags=8\(EXE_LOWER_LAYER\) cap_inheritable=0 cap_permitted=0 cap_effective=0'), "evt.category": "process", "evt.num": SinspField.numeric_field(), "evt.time": SinspField.numeric_field(),