Wrong usage of `evt.arg.*` / `evt.rawarg.*` when more than one event is involved

[Andreagit97]

In some rules like Set Setuid or Setgid bit we use some filter checks like fd=%evt.arg.fd. These filter checks are event-specific so using them with a condition like evt.type in (chmod, fchmod, fchmodat) means that chmod and fchmodat don't have it and will always return an <NA> while fchmod has it.

I'm not sure this is what we want, returning <NA> by default doesn't seem the right choice. IMO we should limit the usage of evt.arg.* / evt.rawarg.* when only one event is involved in the condition and a precise direction is set (e.g. evt.type=open and evt.dir=<). The direction is necessary because enter and exit events have different parameters!

[incertum]

Cross-linked the issue to the feedback tracking https://github.com/falcosecurity/rules/issues/176

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale