From 68f174554782b1ce379473260ca10ad0b4b07c67 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 09:39:29 +0100
Subject: [PATCH 1/7] chore(decl): abstract process creation

Abstract process creation through a new process package.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/process/doc.go           |  17 +++
 pkg/process/process.go       | 246 +++++++++++++++++++++++++++++++++++
 pkg/test/runner/host/host.go | 116 ++++-------------
 3 files changed, 288 insertions(+), 91 deletions(-)
 create mode 100644 pkg/process/doc.go
 create mode 100644 pkg/process/process.go

diff --git a/pkg/process/doc.go b/pkg/process/doc.go
new file mode 100644
index 00000000..7d59964a
--- /dev/null
+++ b/pkg/process/doc.go
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package process provides the Process abstraction, allowing to define and interact with a new OS process.
+package process
diff --git a/pkg/process/process.go b/pkg/process/process.go
new file mode 100644
index 00000000..035acb3c
--- /dev/null
+++ b/pkg/process/process.go
@@ -0,0 +1,246 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package process
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+
+	"github.com/go-logr/logr"
+	"golang.org/x/sys/unix"
+
+	"github.com/falcosecurity/event-generator/pkg/random"
+)
+
+// Process represent an OS process.
+type Process struct {
+	logger logr.Logger
+	// command is the command the process is associated with.
+	command string
+	// simExePath is the "simulated" executable path. This sets the executable path accessible through
+	// `readlink -f /proc/<pid/exepath` for the started process. If empty, it is randomly generated.
+	simExePath string
+	// cmd is the underlying command object.
+	cmd *exec.Cmd
+	// started is true if the process has been started; false otherwise.
+	started bool
+}
+
+// Description describes a process.
+type Description struct {
+	Logger logr.Logger
+	// The command to be run.
+	Command string
+	// SimExePath is the "simulated" executable path. This sets the executable path accessible through
+	// `readlink -f /proc/<pid/exepath` for the started process. If empty, it is randomly generated.
+	SimExePath string
+	// Name is the process name. If omitted, it defaults to filepath.Base(SimExePath).
+	Name string
+	// Arg0 is the argument in position 0 (a.k.a. argv[0]) of the process. If empty, it defaults to Name if this is
+	// not empty; otherwise, it defaults to filepath.Base(SimExePath).
+	Arg0 string
+	// Args is a string containing the space-separated list of command line arguments. If a single argument contains
+	// spaces, the entire argument must be quoted in order to not be considered as multiple arguments.
+	Args string
+	// Env is the list of environment variables that must be provided to the process.
+	Env []string
+}
+
+var (
+	// defaultSimExePathPrefix defines the prefix used to generate a random simulated executable path.
+	defaultSimExePathPrefix = filepath.Join(os.TempDir(), "event-generator")
+)
+
+// New creates a new process.
+func New(ctx context.Context, procDesc *Description) *Process {
+	// If the user doesn't provide an executable path, we must generate a random path.
+	var simExePath string
+	if exePath := procDesc.SimExePath; exePath != "" {
+		simExePath = exePath
+	} else {
+		simExePath = defaultSimExePathPrefix + random.Seq(10)
+	}
+
+	// If the user provides a process name, we must run the executable through a symbolic link having the provided name
+	// and pointing to the simulated executable path. Create the symbolic link under the directory of the simulated
+	// executable.
+	var exePath string
+	if name := procDesc.Name; name != "" {
+		exePath = filepath.Join(filepath.Dir(simExePath), name)
+	} else {
+		exePath = simExePath
+	}
+
+	// If the user provides the argument zero, set the argument zero of the new process to its value; otherwise defaults
+	// it to the last segment of the executable path.
+	var procArg0 string
+	if arg0 := procDesc.Arg0; arg0 != "" {
+		procArg0 = arg0
+	} else {
+		procArg0 = filepath.Base(exePath)
+	}
+
+	// Evaluate process arguments.
+	procArgs := splitArgs(procDesc.Args)
+
+	// Setup process command.
+	cmd := exec.CommandContext(ctx, exePath, procArgs...) //nolint:gosec // Disable G204
+	cmd.Args[0] = procArg0
+	cmd.Env = procDesc.Env
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	proc := &Process{
+		logger:     procDesc.Logger,
+		command:    procDesc.Command,
+		simExePath: simExePath,
+		cmd:        cmd,
+		started:    false,
+	}
+	return proc
+}
+
+// splittingArgsRegex allows to split space-separated arguments, keeping together space-separated words under the same
+// single- or double-quoted group.
+var splittingArgsRegex = regexp.MustCompile(`"([^"]+)"|'([^']+)'|(\S+)`)
+
+// splitArgs splits the provided space-separated arguments. If a group composed of space-separated words must be
+// considered as a single argument, it must be single- or double-quoted.
+func splitArgs(args string) []string {
+	if args == "" {
+		return nil
+	}
+
+	matches := splittingArgsRegex.FindAllStringSubmatch(args, -1)
+	splittedArgs := make([]string, len(matches))
+	for matchIndex, match := range matches {
+		// match[1] is for double quotes, match[2] for single quotes, match[3] for unquoted.
+		if match[1] != "" { //nolint:gocritic // Rewrite this as switch statement worsens readability.
+			splittedArgs[matchIndex] = match[1]
+		} else if match[2] != "" {
+			splittedArgs[matchIndex] = match[2]
+		} else if match[3] != "" {
+			splittedArgs[matchIndex] = match[3]
+		}
+	}
+	return splittedArgs
+}
+
+// Start the process.
+func (p *Process) Start() (err error) {
+	command := p.command
+	simExePath := p.simExePath
+	exePath := p.cmd.Path
+
+	// Create a hard link to the provided command, named as specified by the user.
+	if err := os.Link(command, simExePath); err != nil {
+		return fmt.Errorf("error creating process executable: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			if err := os.Remove(simExePath); err != nil {
+				p.logger.Error(err, "Error deleting process executable", "path", simExePath)
+			}
+		}
+	}()
+	p.logger.V(1).Info("Created process executable", "path", simExePath)
+
+	// If the user specified a custom process name, we will run the executable through a symbolic link, so create it.
+	if simExePath != exePath {
+		if err := os.Symlink(simExePath, exePath); err != nil {
+			return fmt.Errorf("error creating symlink %q to process executable %q: %w", exePath, simExePath,
+				err)
+		}
+		defer func() {
+			if err != nil {
+				if err := os.Remove(exePath); err != nil {
+					p.logger.Error(err, "Error deleting symlink to process executable", "symlink", exePath)
+				}
+			}
+		}()
+	}
+	p.logger.V(1).Info("Created symlink to process executable", "path", simExePath, "symlink", exePath)
+
+	// Run the process.
+	if err := p.cmd.Start(); err != nil {
+		return err
+	}
+
+	p.started = true
+	return nil
+}
+
+var errProcessNotStarted = fmt.Errorf("process not started")
+
+// Wait waits for process to exit and releases the related resources.
+func (p *Process) Wait() error {
+	if !p.started {
+		return errProcessNotStarted
+	}
+
+	defer p.releaseResources()
+
+	if err := p.cmd.Wait(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Kill kills the process and releases the related resources.
+func (p *Process) Kill() error {
+	if !p.started {
+		return errProcessNotStarted
+	}
+
+	defer p.releaseResources()
+
+	if err := p.cmd.Process.Signal(unix.SIGKILL); err != nil {
+		return fmt.Errorf("error sending sigkill to process: %w", err)
+	}
+
+	return nil
+}
+
+// releaseResources releases the resources associated to the process, such as created executables.
+func (p *Process) releaseResources() {
+	simExePath := p.simExePath
+	exePath := p.cmd.Path
+	defer func() {
+		p.started = false
+	}()
+
+	if simExePath != exePath {
+		if err := os.Remove(exePath); err != nil {
+			p.logger.Error(err, "Error deleting symlink to process executable", "symlink", exePath)
+		} else {
+			p.logger.V(1).Info("Deleted symlink to process executable", "symlink", exePath)
+		}
+	}
+
+	if err := os.Remove(simExePath); err != nil {
+		p.logger.Error(err, "Error deleting process executable", "path", simExePath)
+	}
+	p.logger.V(1).Info("Deleted process executable", "path", simExePath)
+}
+
+// PID returns the process identifier.
+func (p *Process) PID() int {
+	return p.cmd.Process.Pid
+}
diff --git a/pkg/test/runner/host/host.go b/pkg/test/runner/host/host.go
index 97759502..ebeb9fe0 100644
--- a/pkg/test/runner/host/host.go
+++ b/pkg/test/runner/host/host.go
@@ -19,15 +19,12 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/exec"
-	"path/filepath"
-	"regexp"
 	"strconv"
 	"strings"
 
 	"github.com/go-logr/logr"
 
-	"github.com/falcosecurity/event-generator/pkg/random"
+	"github.com/falcosecurity/event-generator/pkg/process"
 	"github.com/falcosecurity/event-generator/pkg/test"
 	"github.com/falcosecurity/event-generator/pkg/test/loader"
 	"github.com/falcosecurity/event-generator/pkg/test/runner"
@@ -105,88 +102,51 @@ func (r *hostRunner) Run(ctx context.Context, testID string, testIndex int, test
 	return nil
 }
 
-var (
-	// defaultRealExePathPrefix defines the prefix used to generate a random real executable path.
-	defaultRealExePathPrefix = filepath.Join(os.TempDir(), "event-generator")
-)
-
 // delegateToChild delegates the execution of the test to a child process, created and tuned as per test specification.
 func (r *hostRunner) delegateToChild(ctx context.Context, testID string, testIndex int, testDesc *loader.Test) error {
 	firstProcess := popFirstProcessContext(testDesc.Context)
 	isLastProcess := len(testDesc.Context.Processes) == 0
 
-	// If the user doesn't provide an executable path, we must generate a random path.
-	var realExePath string
-	if exePath := firstProcess.ExePath; exePath != nil {
-		realExePath = *exePath
-	} else {
-		realExePath = defaultRealExePathPrefix + random.Seq(10)
-	}
-
-	// If the user provides a process name, we must run the executable through a symbolic link having the provided name
-	// and pointing to the real executable path.
-	exePath := realExePath
-	if name := firstProcess.Name; name != nil {
-		exePath = filepath.Join(filepath.Dir(realExePath), *name)
-	}
-
-	// If the user provides the "exe" field, set the argument 0 of the new process to its value; otherwise defaults it
-	// to the last segment of the executable path.
-	arg0 := filepath.Base(exePath)
-	if exe := firstProcess.Exe; exe != nil {
-		arg0 = *exe
-	}
-
-	// Evaluate process arguments.
-	procArgs := splitArgs(firstProcess.Args)
-
 	// Evaluate process environment variables.
 	procEnv, err := r.buildEnv(testID, testIndex, testDesc, firstProcess.Env, isLastProcess)
 	if err != nil {
 		return fmt.Errorf("error building process environment variables set: %w", err)
 	}
 
-	// Setup process command.
-	cmd := exec.CommandContext(ctx, exePath, procArgs...) //nolint:gosec // Disable G204
-	cmd.Args[0] = arg0
-	cmd.Env = procEnv
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-
-	// Create a hard link to the current process executable as specified by the user in the "ExePath" field.
+	// Get current process executable path.
 	currentExePath, err := getCurrentExePath()
 	if err != nil {
 		return fmt.Errorf("error retrieving the current process executable path: %w", err)
 	}
 
-	if err := os.Link(currentExePath, realExePath); err != nil {
-		return fmt.Errorf("error creating process executable: %w", err)
+	var simExePath, name, arg0, args string
+	if firstProcess.ExePath != nil {
+		simExePath = *firstProcess.ExePath
 	}
-	defer func() {
-		if err := os.Remove(realExePath); err != nil {
-			r.logger.Error(err, "Error deleting process executable", "path", realExePath)
-		}
-	}()
-
-	// If the user specified a custom process name, we will run the executable through a symbolic link, so create it.
-	if realExePath != exePath {
-		if err := os.Symlink(realExePath, exePath); err != nil {
-			return fmt.Errorf("error creating symlink %q to process executable %q: %w", exePath, realExePath,
-				err)
-		}
-		defer func() {
-			if err := os.Remove(exePath); err != nil {
-				r.logger.Error(err, "Error deleting symlink to process executable", "symlink", exePath)
-			}
-		}()
+	if firstProcess.Name != nil {
+		name = *firstProcess.Name
 	}
-
-	// Run the child process and wait for it.
-	if err := cmd.Start(); err != nil {
+	if firstProcess.Exe != nil {
+		arg0 = *firstProcess.Exe
+	}
+	if firstProcess.Args != nil {
+		args = *firstProcess.Args
+	}
+	procDesc := &process.Description{
+		Logger:     r.logger,
+		Command:    currentExePath,
+		SimExePath: simExePath,
+		Name:       name,
+		Arg0:       arg0,
+		Args:       args,
+		Env:        procEnv,
+	}
+	proc := process.New(ctx, procDesc)
+	if err := proc.Start(); err != nil {
 		return fmt.Errorf("error starting child process: %w", err)
 	}
 
-	if err := cmd.Wait(); err != nil {
+	if err := proc.Wait(); err != nil {
 		return fmt.Errorf("error waiting for child process: %w", err)
 	}
 
@@ -201,32 +161,6 @@ func popFirstProcessContext(testContext *loader.TestContext) *loader.ProcessCont
 	return &firstProcess
 }
 
-// splittingArgsRegex allows to split space-separated arguments, keeping together space-separated words under the same
-// single- or double-quoted group.
-var splittingArgsRegex = regexp.MustCompile(`"([^"]+)"|'([^']+)'|(\S+)`)
-
-// splitArgs splits the provided space-separated arguments. If a group composed of space-separated words must be
-// considered as a single argument, it must be single- or double-quoted.
-func splitArgs(args *string) []string {
-	if args == nil {
-		return nil
-	}
-
-	matches := splittingArgsRegex.FindAllStringSubmatch(*args, -1)
-	splittedArgs := make([]string, len(matches))
-	for matchIndex, match := range matches {
-		// match[1] is for double quotes, match[2] for single quotes, match[3] for unquoted.
-		if match[1] != "" { //nolint:gocritic // Rewrite this as switch statement worsens readability.
-			splittedArgs[matchIndex] = match[1]
-		} else if match[2] != "" {
-			splittedArgs[matchIndex] = match[2]
-		} else if match[3] != "" {
-			splittedArgs[matchIndex] = match[3]
-		}
-	}
-	return splittedArgs
-}
-
 func (r *hostRunner) buildEnv(testID string, testIndex int, testDesc *loader.Test, userEnv map[string]string,
 	isLastProcess bool) ([]string, error) {
 	env := r.Environ

From efc3957cf34781d118cf12fe63756bb993461a6b Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 10:08:43 +0100
Subject: [PATCH 2/7] feat(decl/loader): add process resource YAML definition

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/test/loader/loader.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/pkg/test/loader/loader.go b/pkg/test/loader/loader.go
index d0410e80..cfba584c 100644
--- a/pkg/test/loader/loader.go
+++ b/pkg/test/loader/loader.go
@@ -189,6 +189,8 @@ func (r *TestResource) UnmarshalYAML(node *yaml.Node) error {
 		spec = &TestResourceClientServerSpec{}
 	case TestResourceTypeFD:
 		spec = &TestResourceFDSpec{}
+	case TestResourceTypeProcess:
+		spec = &TestResourceProcessSpec{}
 	default:
 		panic(fmt.Sprintf("unknown test resource type %q", decodedType))
 	}
@@ -217,6 +219,12 @@ func (r TestResource) MarshalYAML() (interface{}, error) {
 		}{Type: resourceType, Name: r.Name, Spec: r.Spec.(*TestResourceClientServerSpec)}, nil
 	case TestResourceTypeFD:
 		return r.marshalFD()
+	case TestResourceTypeProcess:
+		return struct {
+			Type TestResourceType         `yaml:"type"`
+			Name string                   `yaml:"name"`
+			Spec *TestResourceProcessSpec `yaml:"spec,inline"`
+		}{Type: resourceType, Name: r.Name, Spec: r.Spec.(*TestResourceProcessSpec)}, nil
 	default:
 		return nil, fmt.Errorf("unknown test resource type %q", resourceType)
 	}
@@ -301,6 +309,8 @@ const (
 	TestResourceTypeClientServer TestResourceType = "clientServer"
 	// TestResourceTypeFD specifies that the resource creates a file descriptor.
 	TestResourceTypeFD TestResourceType = "fd"
+	// TestResourceTypeProcess specifies that the resource creates a process.
+	TestResourceTypeProcess TestResourceType = "process"
 )
 
 // UnmarshalYAML populates the TestResourceType instance by unmarshalling the content of the provided YAML node.
@@ -313,6 +323,7 @@ func (t *TestResourceType) UnmarshalYAML(node *yaml.Node) error {
 	switch TestResourceType(value) {
 	case TestResourceTypeClientServer:
 	case TestResourceTypeFD:
+	case TestResourceTypeProcess:
 	default:
 		return fmt.Errorf("unknown test step type %q", value)
 	}
@@ -495,6 +506,23 @@ type TestResourceFDMemSpec struct {
 	FileName string `yaml:"fileName" validate:"required"`
 }
 
+// TestResourceProcessSpec describes a process test resource.
+type TestResourceProcessSpec struct {
+	// ExePath is the executable path. If omitted, it is randomly generated.
+	ExePath *string `yaml:"exePath" validate:"omitempty,min=1"`
+	// Args is a string containing the space-separated list of command line arguments. If a single argument contains
+	// spaces, the entire argument must be quoted in order to not be considered as multiple arguments. If omitted, it
+	// defaults to "".
+	Args *string `yaml:"args,omitempty" validate:"omitempty,min=1"`
+	// Exe is the argument in position 0 (a.k.a. argv[0]) of the process. If omitted, it defaults to Name if this is
+	// specified; otherwise, it defaults to filepath.Base(ExePath).
+	Exe *string `yaml:"exe,omitempty" validate:"omitempty,min=1"`
+	// Name is the process name. If omitted, it defaults to filepath.Base(ExePath).
+	Name *string `yaml:"procName,omitempty" validate:"omitempty,min=1"`
+	// Env is the set of environment variables that must be provided to the process (in addition to the default ones).
+	Env map[string]string `yaml:"env,omitempty" validate:"omitempty,min=1"`
+}
+
 // TestStep describes a test step.
 type TestStep struct {
 	Type          TestStepType            `yaml:"type" validate:"-"`

From 2946b6ba495f6d8bdda212a05983e2250974eb42 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 10:09:58 +0100
Subject: [PATCH 3/7] feat(decl/resources): add process test resource

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu
---
 pkg/process/process.go               |  25 ++++--
 pkg/test/resource/builder/builder.go |  42 +++++++++-
 pkg/test/resource/process/doc.go     |  18 +++++
 pkg/test/resource/process/process.go | 117 +++++++++++++++++++++++++++
 4 files changed, 195 insertions(+), 7 deletions(-)
 create mode 100644 pkg/test/resource/process/doc.go
 create mode 100644 pkg/test/resource/process/process.go

diff --git a/pkg/process/process.go b/pkg/process/process.go
index 035acb3c..f03c933c 100644
--- a/pkg/process/process.go
+++ b/pkg/process/process.go
@@ -17,6 +17,7 @@ package process
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -144,12 +145,15 @@ func splitArgs(args string) []string {
 
 // Start the process.
 func (p *Process) Start() (err error) {
-	command := p.command
-	simExePath := p.simExePath
-	exePath := p.cmd.Path
+	// Retrieve the specified command path.
+	commandPath, err := exec.LookPath(p.command)
+	if err != nil && !errors.Is(err, exec.ErrDot) {
+		return fmt.Errorf("error retrieving command path: %w", err)
+	}
 
-	// Create a hard link to the provided command, named as specified by the user.
-	if err := os.Link(command, simExePath); err != nil {
+	// Create a hard link to the provided command path, named as specified by the user.
+	simExePath := p.simExePath
+	if err := os.Link(commandPath, simExePath); err != nil {
 		return fmt.Errorf("error creating process executable: %w", err)
 	}
 	defer func() {
@@ -162,6 +166,7 @@ func (p *Process) Start() (err error) {
 	p.logger.V(1).Info("Created process executable", "path", simExePath)
 
 	// If the user specified a custom process name, we will run the executable through a symbolic link, so create it.
+	exePath := p.cmd.Path
 	if simExePath != exePath {
 		if err := os.Symlink(simExePath, exePath); err != nil {
 			return fmt.Errorf("error creating symlink %q to process executable %q: %w", exePath, simExePath,
@@ -215,6 +220,16 @@ func (p *Process) Kill() error {
 		return fmt.Errorf("error sending sigkill to process: %w", err)
 	}
 
+	if err := p.cmd.Wait(); err != nil {
+		var exitErr *exec.ExitError
+		if errors.As(err, &exitErr) {
+			if terminatedBySignal := !exitErr.ProcessState.Exited(); terminatedBySignal {
+				return nil
+			}
+		}
+		return fmt.Errorf("error waiting for process: %w", err)
+	}
+
 	return nil
 }
 
diff --git a/pkg/test/resource/builder/builder.go b/pkg/test/resource/builder/builder.go
index 28b60cdf..8da1ab5e 100644
--- a/pkg/test/resource/builder/builder.go
+++ b/pkg/test/resource/builder/builder.go
@@ -17,6 +17,7 @@ package builder
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/go-logr/logr"
 
@@ -31,6 +32,7 @@ import (
 	"github.com/falcosecurity/event-generator/pkg/test/resource/fd/mem"
 	"github.com/falcosecurity/event-generator/pkg/test/resource/fd/pipe"
 	"github.com/falcosecurity/event-generator/pkg/test/resource/fd/signal"
+	"github.com/falcosecurity/event-generator/pkg/test/resource/process"
 )
 
 // builder is an implementation of resource.Builder.
@@ -64,11 +66,19 @@ func (b *builder) Build(logger logr.Logger, testResource *loader.TestResource) (
 			return nil, fmt.Errorf("cannot parse fd spec")
 		}
 
-		res, err := b.buildFD(logger, resourceName, fdSpec)
+		res, err := buildFD(logger, resourceName, fdSpec)
 		if err != nil {
 			return nil, fmt.Errorf("cannot build fd resource: %w", err)
 		}
 
+		return res, nil
+	case loader.TestResourceTypeProcess:
+		procSpec, ok := testResource.Spec.(*loader.TestResourceProcessSpec)
+		if !ok {
+			return nil, fmt.Errorf("cannot parse process spec")
+		}
+
+		res := buildProcess(logger, resourceName, procSpec)
 		return res, nil
 	default:
 		return nil, fmt.Errorf("unknown test resource type %q", resourceType)
@@ -76,7 +86,7 @@ func (b *builder) Build(logger logr.Logger, testResource *loader.TestResource) (
 }
 
 // buildFD builds a fd test resource.
-func (b *builder) buildFD(logger logr.Logger, resourceName string,
+func buildFD(logger logr.Logger, resourceName string,
 	fdSpec *loader.TestResourceFDSpec) (resource.Resource, error) {
 	subtype := fdSpec.Subtype
 	logger = logger.WithValues("fdSubtype", subtype)
@@ -136,3 +146,31 @@ func (b *builder) buildFD(logger logr.Logger, resourceName string,
 		return nil, fmt.Errorf("unknown fd test resource subtype %q", subtype)
 	}
 }
+
+func buildProcess(logger logr.Logger, resourceName string, procSpec *loader.TestResourceProcessSpec) resource.Resource {
+	var simExePath, name, arg0, args string
+	if procSpec.ExePath != nil {
+		simExePath = *procSpec.ExePath
+	}
+	if procSpec.Name != nil {
+		name = *procSpec.Name
+	}
+	if procSpec.Exe != nil {
+		arg0 = *procSpec.Exe
+	}
+	if procSpec.Args != nil {
+		args = *procSpec.Args
+	}
+	procEnv := buildProcEnv(procSpec.Env)
+	return process.New(logger, resourceName, simExePath, name, arg0, args, procEnv)
+}
+
+func buildProcEnv(userEnv map[string]string) []string {
+	env := os.Environ()
+
+	// Add the user-provided environment variable.
+	for key, value := range userEnv {
+		env = append(env, fmt.Sprintf("%s=%s", key, value))
+	}
+	return env
+}
diff --git a/pkg/test/resource/process/doc.go b/pkg/test/resource/process/doc.go
new file mode 100644
index 00000000..0477f68d
--- /dev/null
+++ b/pkg/test/resource/process/doc.go
@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package process provides the implementation of a process test resource. The resource exposes the process PID via the
+// 'pid' field, that can be used in field binding.
+package process
diff --git a/pkg/test/resource/process/process.go b/pkg/test/resource/process/process.go
new file mode 100644
index 00000000..19101063
--- /dev/null
+++ b/pkg/test/resource/process/process.go
@@ -0,0 +1,117 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package process
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	"github.com/go-logr/logr"
+
+	"github.com/falcosecurity/event-generator/pkg/process"
+	"github.com/falcosecurity/event-generator/pkg/test/field"
+	"github.com/falcosecurity/event-generator/pkg/test/resource"
+)
+
+// procRes implements a process resource.
+type procRes struct {
+	logger logr.Logger
+	// resourceName is the process resource name.
+	resourceName string
+
+	proc *process.Process
+	// fields defines the information exposed by process for binding.
+	fields struct {
+		// PID is process identifier. If the resource has not been Create'd yet, or it has been Destroy'ed, PID is set
+		// to -1.
+		PID int `field_type:"pid"`
+	}
+}
+
+// New creates a new process resource.
+func New(logger logr.Logger, resourceName, simExePath, name, arg0, args string, env []string) resource.Resource {
+	procDesc := &process.Description{
+		Logger:     logger,
+		Command:    processCommand,
+		SimExePath: simExePath,
+		Name:       name,
+		Arg0:       arg0,
+		Args:       args,
+		Env:        env,
+	}
+	proc := process.New(context.Background(), procDesc)
+
+	p := &procRes{
+		logger:       logger,
+		resourceName: resourceName,
+		proc:         proc,
+	}
+	p.fields.PID = -1
+	return p
+}
+
+// Verify that process implements resource.Resource interface.
+var _ resource.Resource = (*procRes)(nil)
+
+func (p *procRes) Name() string {
+	return p.resourceName
+}
+
+var (
+	errProcessAlreadyStarted = fmt.Errorf("process already started")
+	errProcessAlreadyExited  = fmt.Errorf("process already exited")
+)
+
+// TODO: replace "cat" with "sleep infinity" when the process package will provide support for multiple arguments.
+var processCommand = "cat"
+
+// Create creates a process and exposes its bindable fields.
+func (p *procRes) Create(_ context.Context) error {
+	if p.fields.PID != -1 {
+		return errProcessAlreadyStarted
+	}
+
+	if err := p.proc.Start(); err != nil {
+		return fmt.Errorf("error starting process: %w", err)
+	}
+
+	p.fields.PID = p.proc.PID()
+	return nil
+}
+
+// Destroy closes the exposed file descriptor.
+func (p *procRes) Destroy(_ context.Context) error {
+	if p.fields.PID == -1 {
+		return errProcessAlreadyExited
+	}
+
+	defer func() {
+		p.proc = nil
+		p.fields.PID = -1
+	}()
+
+	if err := p.proc.Kill(); err != nil {
+		return fmt.Errorf("error killing process: %w", err)
+	}
+
+	return nil
+}
+
+func (p *procRes) Field(name string) (*field.Field, error) {
+	fieldContainer := reflect.ValueOf(p.fields)
+	return field.ByName(name, fieldContainer)
+}

From b15adb565cfafff5dc87a24a2e316b75718d4e18 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 10:11:41 +0100
Subject: [PATCH 4/7] docs(decl/write): fix typo in write system call test step
 comment

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
---
 pkg/test/step/syscall/write/write.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/test/step/syscall/write/write.go b/pkg/test/step/syscall/write/write.go
index 686683dd..c2729716 100644
--- a/pkg/test/step/syscall/write/write.go
+++ b/pkg/test/step/syscall/write/write.go
@@ -42,7 +42,7 @@ type writeSyscall struct {
 func New(name string, rawArgs map[string]string,
 	fieldBindings []*step.FieldBinding) (syscall.Syscall, error) {
 	w := &writeSyscall{}
-	// s.args.Len defaults to the buffer length at run time, if unbound.
+	// w.args.Len defaults to the buffer length at run time, if unbound.
 	argsContainer := reflect.ValueOf(&w.args).Elem()
 	bindOnlyArgsContainer := reflect.ValueOf(&w.bindOnlyArgs).Elem()
 	retValContainer := reflect.ValueOf(w).Elem()

From 2238525651d820bdc8169f937c6d86a1b83cea97 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 10:18:23 +0100
Subject: [PATCH 5/7] style(decl/loader): change switch style

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/test/loader/loader.go | 44 ++++++++-------------------------------
 1 file changed, 9 insertions(+), 35 deletions(-)

diff --git a/pkg/test/loader/loader.go b/pkg/test/loader/loader.go
index cfba584c..9660f62e 100644
--- a/pkg/test/loader/loader.go
+++ b/pkg/test/loader/loader.go
@@ -321,9 +321,7 @@ func (t *TestResourceType) UnmarshalYAML(node *yaml.Node) error {
 	}
 
 	switch TestResourceType(value) {
-	case TestResourceTypeClientServer:
-	case TestResourceTypeFD:
-	case TestResourceTypeProcess:
+	case TestResourceTypeClientServer, TestResourceTypeFD, TestResourceTypeProcess:
 	default:
 		return fmt.Errorf("unknown test step type %q", value)
 	}
@@ -369,11 +367,8 @@ func (t *TestResourceClientServerL4Proto) UnmarshalYAML(node *yaml.Node) error {
 	}
 
 	switch TestResourceClientServerL4Proto(value) {
-	case TestResourceClientServerL4ProtoUDP4:
-	case TestResourceClientServerL4ProtoUDP6:
-	case TestResourceClientServerL4ProtoTCP4:
-	case TestResourceClientServerL4ProtoTCP6:
-	case TestResourceClientServerL4ProtoUnix:
+	case TestResourceClientServerL4ProtoUDP4, TestResourceClientServerL4ProtoUDP6, TestResourceClientServerL4ProtoTCP4,
+		TestResourceClientServerL4ProtoTCP6, TestResourceClientServerL4ProtoUnix:
 	default:
 		return fmt.Errorf("unknown clientServer test resource l4 proto %q", value)
 	}
@@ -460,14 +455,9 @@ func (t *TestResourceFDSubtype) UnmarshalYAML(node *yaml.Node) error {
 	}
 
 	switch TestResourceFDSubtype(value) {
-	case TestResourceFDSubtypeFile:
-	case TestResourceFDSubtypeDirectory:
-	case TestResourceFDSubtypePipe:
-	case TestResourceFDSubtypeEvent:
-	case TestResourceFDSubtypeSignal:
-	case TestResourceFDSubtypeEpoll:
-	case TestResourceFDSubtypeInotify:
-	case TestResourceFDSubtypeMem:
+	case TestResourceFDSubtypeFile, TestResourceFDSubtypeDirectory, TestResourceFDSubtypePipe,
+		TestResourceFDSubtypeEvent, TestResourceFDSubtypeSignal, TestResourceFDSubtypeEpoll,
+		TestResourceFDSubtypeInotify, TestResourceFDSubtypeMem:
 	default:
 		return fmt.Errorf("unknown fd test resource subtype %q", value)
 	}
@@ -652,8 +642,6 @@ func (s *TestStepSyscallSpec) fieldBindings() []*TestStepFieldBinding {
 type SyscallName string
 
 const (
-	// SyscallNameUndefined specifies that the system call name is not defined.
-	SyscallNameUndefined SyscallName = "undefined"
 	// SyscallNameWrite specifies the name of the write system call.
 	SyscallNameWrite SyscallName = "write"
 	// SyscallNameRead specifies the name of the read system call.
@@ -697,23 +685,9 @@ func (s *SyscallName) UnmarshalYAML(node *yaml.Node) error {
 		return err
 	}
 	switch SyscallName(value) {
-	case SyscallNameWrite:
-	case SyscallNameRead:
-	case SyscallNameOpen:
-	case SyscallNameOpenAt:
-	case SyscallNameOpenAt2:
-	case SyscallNameSymLink:
-	case SyscallNameSymLinkAt:
-	case SyscallNameLink:
-	case SyscallNameLinkAt:
-	case SyscallNameInitModule:
-	case SyscallNameFinitModule:
-	case SyscallNameDup:
-	case SyscallNameDup2:
-	case SyscallNameDup3:
-	case SyscallNameConnect:
-	case SyscallNameSocket:
-	case SyscallNameSendTo:
+	case SyscallNameWrite, SyscallNameRead, SyscallNameOpen, SyscallNameOpenAt, SyscallNameOpenAt2, SyscallNameSymLink,
+		SyscallNameSymLinkAt, SyscallNameLink, SyscallNameLinkAt, SyscallNameInitModule, SyscallNameFinitModule,
+		SyscallNameDup, SyscallNameDup2, SyscallNameDup3, SyscallNameConnect, SyscallNameSocket, SyscallNameSendTo:
 	default:
 		return fmt.Errorf("unknown syscall %q", value)
 	}

From 963e7f4679931aef0fabd744d4a78a95f7c3a1e5 Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 10:32:14 +0100
Subject: [PATCH 6/7] cleanup(decl/syscalls): remove unused ret fields

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/test/step/syscall/finitmodule/finitmodule.go | 8 ++------
 pkg/test/step/syscall/initmodule/initmodule.go   | 8 ++------
 pkg/test/step/syscall/link/link.go               | 2 +-
 pkg/test/step/syscall/linkat/linkat.go           | 2 +-
 pkg/test/step/syscall/sendto/sendto.go           | 7 +------
 pkg/test/step/syscall/symlink/symlink.go         | 2 +-
 pkg/test/step/syscall/symlinkat/symlinkat.go     | 2 +-
 7 files changed, 9 insertions(+), 22 deletions(-)

diff --git a/pkg/test/step/syscall/finitmodule/finitmodule.go b/pkg/test/step/syscall/finitmodule/finitmodule.go
index 75d5d804..29ebd46a 100644
--- a/pkg/test/step/syscall/finitmodule/finitmodule.go
+++ b/pkg/test/step/syscall/finitmodule/finitmodule.go
@@ -36,7 +36,7 @@ type finitModuleSyscall struct {
 	bindOnlyArgs struct {
 		FD int `field_type:"fd"`
 	}
-	Ret int
+	// Return value is neither set nor bindable.
 }
 
 // New creates a new finit_module system call test step.
@@ -54,9 +54,5 @@ func New(name string, rawArgs map[string]string,
 }
 
 func (f *finitModuleSyscall) run(_ context.Context) error {
-	if err := unix.FinitModule(f.bindOnlyArgs.FD, f.args.ParamValues, f.args.Flags); err != nil {
-		return err
-	}
-
-	return nil
+	return unix.FinitModule(f.bindOnlyArgs.FD, f.args.ParamValues, f.args.Flags)
 }
diff --git a/pkg/test/step/syscall/initmodule/initmodule.go b/pkg/test/step/syscall/initmodule/initmodule.go
index 835b53ce..3df9d006 100644
--- a/pkg/test/step/syscall/initmodule/initmodule.go
+++ b/pkg/test/step/syscall/initmodule/initmodule.go
@@ -34,7 +34,7 @@ type initModuleSyscall struct {
 	}
 	// bindOnlyArgs represents arguments that can only be provided by binding.
 	bindOnlyArgs struct{}
-	Ret          int
+	// Return value is neither set nor bindable.
 }
 
 // New creates a new init_module system call test step.
@@ -51,9 +51,5 @@ func New(name string, rawArgs map[string]string,
 }
 
 func (i *initModuleSyscall) run(_ context.Context) error {
-	if err := unix.InitModule(i.args.ModuleImage, i.args.ParamValues); err != nil {
-		return err
-	}
-
-	return nil
+	return unix.InitModule(i.args.ModuleImage, i.args.ParamValues)
 }
diff --git a/pkg/test/step/syscall/link/link.go b/pkg/test/step/syscall/link/link.go
index 5f3e94e7..59f1e85f 100644
--- a/pkg/test/step/syscall/link/link.go
+++ b/pkg/test/step/syscall/link/link.go
@@ -39,7 +39,7 @@ type linkSyscall struct {
 	// bindOnlyArgs represents arguments that can only be provided by binding.
 	bindOnlyArgs struct{}
 	savedNewPath []byte
-	Ret          int
+	// Return value is neither set nor bindable.
 }
 
 // New creates a new link system call test step.
diff --git a/pkg/test/step/syscall/linkat/linkat.go b/pkg/test/step/syscall/linkat/linkat.go
index ea2aa5d1..afc99ac3 100644
--- a/pkg/test/step/syscall/linkat/linkat.go
+++ b/pkg/test/step/syscall/linkat/linkat.go
@@ -41,7 +41,7 @@ type linkAtSyscall struct {
 		NewDirFD int `field_type:"fd"`
 	}
 	savedNewPath []byte
-	Ret          int
+	// Return value is neither set nor bindable.
 }
 
 // New creates a new linkat system call test step.
diff --git a/pkg/test/step/syscall/sendto/sendto.go b/pkg/test/step/syscall/sendto/sendto.go
index 0d57be54..ae57e2ef 100644
--- a/pkg/test/step/syscall/sendto/sendto.go
+++ b/pkg/test/step/syscall/sendto/sendto.go
@@ -42,7 +42,6 @@ type sendToSyscall struct {
 	//  sendto system call returns the number of characters sent but both unix.Sendto and syscall.Sendto do not return
 	//  it and do not allow to rewrite it by using direct calls to unix.Syscall or syscall.Syscall. For this reason, the
 	//  returned value is currently neither set nor bindable.
-	Ret int
 }
 
 // New creates a new sendto system call test step.
@@ -63,9 +62,5 @@ func (s *sendToSyscall) run(_ context.Context) error {
 	if length == 0 {
 		length = len(s.args.Buf)
 	}
-	if err := unix.Sendto(s.bindOnlyArgs.FD, s.args.Buf[:length], s.args.Flags, s.args.DestAddr); err != nil {
-		return err
-	}
-
-	return nil
+	return unix.Sendto(s.bindOnlyArgs.FD, s.args.Buf[:length], s.args.Flags, s.args.DestAddr)
 }
diff --git a/pkg/test/step/syscall/symlink/symlink.go b/pkg/test/step/syscall/symlink/symlink.go
index 2c137d15..311e0217 100644
--- a/pkg/test/step/syscall/symlink/symlink.go
+++ b/pkg/test/step/syscall/symlink/symlink.go
@@ -39,7 +39,7 @@ type symlinkSyscall struct {
 	// bindOnlyArgs represents arguments that can only be provided by binding.
 	bindOnlyArgs  struct{}
 	savedLinkPath []byte
-	Ret           int
+	// Return value is neither set nor bindable.
 }
 
 // New creates a new symlink system call test step.
diff --git a/pkg/test/step/syscall/symlinkat/symlinkat.go b/pkg/test/step/syscall/symlinkat/symlinkat.go
index 6993402b..574c5389 100644
--- a/pkg/test/step/syscall/symlinkat/symlinkat.go
+++ b/pkg/test/step/syscall/symlinkat/symlinkat.go
@@ -39,7 +39,7 @@ type symlinkAtSyscall struct {
 		NewDirFD int `field_type:"fd"`
 	}
 	savedLinkPath []byte
-	Ret           int
+	// Return value is neither set nor bindable.
 }
 
 // New creates a new symlinkat system call test step.

From 2cf4b77caf86e86c18d46e1cdb9632c58aa225ea Mon Sep 17 00:00:00 2001
From: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Date: Tue, 19 Nov 2024 10:53:11 +0100
Subject: [PATCH 7/7] feat(decl/syscalls): add kill system call test step

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
Co-authored-by: Aldo Lacuku <aldo@lacuku.eu>
---
 pkg/test/field/field.go                  |  4 ++
 pkg/test/loader/loader.go                |  5 ++-
 pkg/test/step/syscall/base/base.go       | 12 ++++++
 pkg/test/step/syscall/base/consts.go     | 37 ++++++++++++++++
 pkg/test/step/syscall/builder/builder.go |  3 ++
 pkg/test/step/syscall/kill/doc.go        | 17 ++++++++
 pkg/test/step/syscall/kill/kill.go       | 54 ++++++++++++++++++++++++
 pkg/test/step/syscall/syscall.go         |  2 +
 8 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 pkg/test/step/syscall/kill/doc.go
 create mode 100644 pkg/test/step/syscall/kill/kill.go

diff --git a/pkg/test/field/field.go b/pkg/test/field/field.go
index e6cb6ef0..76ba1691 100644
--- a/pkg/test/field/field.go
+++ b/pkg/test/field/field.go
@@ -79,6 +79,10 @@ const (
 	TypeSocketProtocol Type = "socket_protocol"
 	// TypeSendFlags specifies that the field contains the sendto system call flags.
 	TypeSendFlags Type = "send_flags"
+	// TypePID specifies that the field contains a process identifier.
+	TypePID Type = "pid"
+	// TypeSignal specifies that the field contains a signal.
+	TypeSignal Type = "signal"
 )
 
 const (
diff --git a/pkg/test/loader/loader.go b/pkg/test/loader/loader.go
index 9660f62e..c3d9fd98 100644
--- a/pkg/test/loader/loader.go
+++ b/pkg/test/loader/loader.go
@@ -676,6 +676,8 @@ const (
 	SyscallNameSocket SyscallName = "socket"
 	// SyscallNameSendTo specifies the name of the sendto system call.
 	SyscallNameSendTo SyscallName = "sendto"
+	// SyscallNameKill specifies the name of the kill system call.
+	SyscallNameKill SyscallName = "kill"
 )
 
 // UnmarshalYAML populates the SyscallName instance by unmarshalling the content of the provided YAML node.
@@ -687,7 +689,8 @@ func (s *SyscallName) UnmarshalYAML(node *yaml.Node) error {
 	switch SyscallName(value) {
 	case SyscallNameWrite, SyscallNameRead, SyscallNameOpen, SyscallNameOpenAt, SyscallNameOpenAt2, SyscallNameSymLink,
 		SyscallNameSymLinkAt, SyscallNameLink, SyscallNameLinkAt, SyscallNameInitModule, SyscallNameFinitModule,
-		SyscallNameDup, SyscallNameDup2, SyscallNameDup3, SyscallNameConnect, SyscallNameSocket, SyscallNameSendTo:
+		SyscallNameDup, SyscallNameDup2, SyscallNameDup3, SyscallNameConnect, SyscallNameSocket, SyscallNameSendTo,
+		SyscallNameKill:
 	default:
 		return fmt.Errorf("unknown syscall %q", value)
 	}
diff --git a/pkg/test/step/syscall/base/base.go b/pkg/test/step/syscall/base/base.go
index 5fc8e07b..daffacd3 100644
--- a/pkg/test/step/syscall/base/base.go
+++ b/pkg/test/step/syscall/base/base.go
@@ -235,6 +235,18 @@ func setArgFieldValue(argField *field.Field, value string) error {
 			return fmt.Errorf("cannot parse value as send flags: %w", err)
 		}
 		argFieldValue.SetInt(int64(sendFlags))
+	case field.TypePID:
+		pid, err := strconv.Atoi(value)
+		if err != nil {
+			return fmt.Errorf("cannot parse value as PID: %w", err)
+		}
+		argFieldValue.SetInt(int64(pid))
+	case field.TypeSignal:
+		signal, err := parseSingleValue(value, signals)
+		if err != nil {
+			return fmt.Errorf("cannot parse value as signal: %w", err)
+		}
+		argFieldValue.SetInt(int64(signal))
 	case field.TypeUndefined:
 		return fmt.Errorf("argument field type is undefined")
 	default:
diff --git a/pkg/test/step/syscall/base/consts.go b/pkg/test/step/syscall/base/consts.go
index 13349483..c7b5a821 100644
--- a/pkg/test/step/syscall/base/consts.go
+++ b/pkg/test/step/syscall/base/consts.go
@@ -188,3 +188,40 @@ var sendFlags = map[string]int{
 	"MSG_NOSIGNAL":  unix.MSG_NOSIGNAL,
 	"MSG_OOB":       unix.MSG_OOB,
 }
+
+var signals = map[string]int{
+	"SIGABRT":   int(unix.SIGABRT),
+	"SIGALRM":   int(unix.SIGALRM),
+	"SIGBUS":    int(unix.SIGBUS),
+	"SIGCHLD":   int(unix.SIGCHLD),
+	"SIGCLD":    int(unix.SIGCLD),
+	"SIGCONT":   int(unix.SIGCONT),
+	"SIGFPE":    int(unix.SIGFPE),
+	"SIGHUP":    int(unix.SIGHUP),
+	"SIGILL":    int(unix.SIGILL),
+	"SIGINT":    int(unix.SIGINT),
+	"SIGIO":     int(unix.SIGIO),
+	"SIGIOT":    int(unix.SIGIOT),
+	"SIGKILL":   int(unix.SIGKILL),
+	"SIGPIPE":   int(unix.SIGPIPE),
+	"SIGPOLL":   int(unix.SIGPOLL),
+	"SIGPROF":   int(unix.SIGPROF),
+	"SIGPWR":    int(unix.SIGPWR),
+	"SIGQUIT":   int(unix.SIGQUIT),
+	"SIGSEGV":   int(unix.SIGSEGV),
+	"SIGSTKFLT": int(unix.SIGSTKFLT),
+	"SIGSTOP":   int(unix.SIGSTOP),
+	"SIGTSTP":   int(unix.SIGTSTP),
+	"SIGSYS":    int(unix.SIGSYS),
+	"SIGTERM":   int(unix.SIGTERM),
+	"SIGTRAP":   int(unix.SIGTRAP),
+	"SIGTTIN":   int(unix.SIGTTIN),
+	"SIGTTOU":   int(unix.SIGTTOU),
+	"SIGURG":    int(unix.SIGURG),
+	"SIGUSR1":   int(unix.SIGUSR1),
+	"SIGUSR2":   int(unix.SIGUSR2),
+	"SIGVTALRM": int(unix.SIGVTALRM),
+	"SIGXCPU":   int(unix.SIGXCPU),
+	"SIGXFSZ":   int(unix.SIGXFSZ),
+	"SIGWINCH":  int(unix.SIGWINCH),
+}
diff --git a/pkg/test/step/syscall/builder/builder.go b/pkg/test/step/syscall/builder/builder.go
index 06d508e9..0a47ede5 100644
--- a/pkg/test/step/syscall/builder/builder.go
+++ b/pkg/test/step/syscall/builder/builder.go
@@ -25,6 +25,7 @@ import (
 	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/dup3"
 	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/finitmodule"
 	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/initmodule"
+	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/kill"
 	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/link"
 	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/linkat"
 	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/open"
@@ -88,6 +89,8 @@ func (b *builder) Build(name syscall.Name, stepName string, description *syscall
 		return errDecorator(finitmodule.New(stepName, rawArgs, fieldBindings))
 	case syscall.NameSendTo:
 		return errDecorator(sendto.New(stepName, rawArgs, fieldBindings))
+	case syscall.NameKill:
+		return errDecorator(kill.New(stepName, rawArgs, fieldBindings))
 	default:
 		return nil, fmt.Errorf("unknown syscall %q", name)
 	}
diff --git a/pkg/test/step/syscall/kill/doc.go b/pkg/test/step/syscall/kill/doc.go
new file mode 100644
index 00000000..29c68564
--- /dev/null
+++ b/pkg/test/step/syscall/kill/doc.go
@@ -0,0 +1,17 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package kill provides the implementation of a kill system call test step.
+package kill
diff --git a/pkg/test/step/syscall/kill/kill.go b/pkg/test/step/syscall/kill/kill.go
new file mode 100644
index 00000000..beae8db7
--- /dev/null
+++ b/pkg/test/step/syscall/kill/kill.go
@@ -0,0 +1,54 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package kill
+
+import (
+	"context"
+	"reflect"
+
+	"golang.org/x/sys/unix"
+
+	"github.com/falcosecurity/event-generator/pkg/test/step"
+	"github.com/falcosecurity/event-generator/pkg/test/step/syscall"
+	"github.com/falcosecurity/event-generator/pkg/test/step/syscall/base"
+)
+
+type killSyscall struct {
+	// args represents arguments that can be provided by value or by binding.
+	args struct {
+		Sig unix.Signal `field_type:"signal"`
+	}
+	// bindOnlyArgs represents arguments that can only be provided by binding.
+	bindOnlyArgs struct {
+		PID int `field_type:"pid"`
+	}
+	// Return value is neither set nor bindable.
+}
+
+// New creates a new kill system call test step.
+func New(name string, rawArgs map[string]string,
+	fieldBindings []*step.FieldBinding) (syscall.Syscall, error) {
+	k := &killSyscall{}
+	argsContainer := reflect.ValueOf(&k.args).Elem()
+	bindOnlyArgsContainer := reflect.ValueOf(&k.bindOnlyArgs).Elem()
+	retValContainer := reflect.ValueOf(k).Elem()
+	return base.New(name, rawArgs, fieldBindings, argsContainer, bindOnlyArgsContainer, retValContainer, nil, k.run,
+		nil)
+}
+
+func (k *killSyscall) run(_ context.Context) error {
+	return unix.Kill(k.bindOnlyArgs.PID, k.args.Sig)
+}
diff --git a/pkg/test/step/syscall/syscall.go b/pkg/test/step/syscall/syscall.go
index 626ac77a..20674c59 100644
--- a/pkg/test/step/syscall/syscall.go
+++ b/pkg/test/step/syscall/syscall.go
@@ -68,6 +68,8 @@ const (
 	NameSocket = "socket"
 	// NameSendTo specifies the name of the sendto system call test step.
 	NameSendTo = "sendto"
+	// NameKill specifies the name of the kill system call test step.
+	NameKill = "kill"
 )
 
 // Description contains information to build a new Syscall test step.