Open Andreagit97 opened 8 months ago
Cross-linked the issue to the feedback tracking https://github.com/falcosecurity/rules/issues/176
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
In some rules like
Set Setuid or Setgid bit
we use some filter checks likefd=%evt.arg.fd
. These filter checks are event-specific so using them with a condition likeevt.type in (chmod, fchmod, fchmodat)
means thatchmod
andfchmodat
don't have it and will always return an<NA>
whilefchmod
has it.I'm not sure this is what we want, returning
<NA>
by default doesn't seem the right choice. IMO we should limit the usage ofevt.arg.*
/evt.rawarg.*
when only one event is involved in the condition and a precise direction is set (e.g.evt.type=open and evt.dir=<
). The direction is necessary because enter and exit events have different parameters!