chore: remove `exe_flags=%evt.arg.flags` output from each non spawned_process rule

[incertum]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

chore: rename exe_flags= to flags= in output fields

Which issue(s) this PR fixes:

https://github.com/falcosecurity/rules/issues/176#issuecomment-1741234872

Fixes #

Special notes for your reviewer:

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 24ed7b81e8394313552d2ce14ca84f4dc73aea8d with latest tag falco-incubating-rules-2.0.0

Minor changes:

• Rule Potential Local Privilege Escalation via Environment Variables Misuse has been added
• Rule Adding ssh keys to authorized_keys has been added
• Macro glibc_tunables_env has been added

Patch changes:

• Rule Change thread namespace changed its output fields
• Rule Launch Privileged Container changed its output fields
• Rule Launch Excessively Capable Container changed its output fields
• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Non sudo setuid changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Delete or rename shell history changed its output fields
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields

falco_rules.yaml

Comparing 24ed7b81e8394313552d2ce14ca84f4dc73aea8d with latest tag falco-rules-2.0.0

Minor changes:

• Macro containerd_activities has been added

Patch changes:

• Rule Contact K8S API Server From Container changed its output fields
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Packet socket created in container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE anti-debug attempt changed its output fields
• Rule Disallowed SSH Connection Non Standard Port changed its output fields

falco-sandbox_rules.yaml

Comparing 24ed7b81e8394313552d2ce14ca84f4dc73aea8d with latest tag falco-sandbox-rules-2.0.0

Patch changes:

• Rule Unexpected inbound connection source changed its output fields
• Rule Modify binary dirs changed its output fields
• Rule Mkdir binary dirs changed its output fields
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Disallowed Container changed its output fields
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Create Hidden Files or Directories changed its output fields
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Java Process Class File Download changed its output fields
• Rule BPF Program Not Profiled changed its output fields

[incertum]

I would prefer to keep the exe_flags=%evt.arg.flags in all rules with spawned_process and remove all the other usages instead of renaming them. exe_flags has a lot of value because it reports exe_writable/exe_upper_layer flag, in all other cases i don't see so much value, WDYT?

Indifferent at the end of the day. Let's wait to hear from more folks and go with what everyone prefers. Only asking for a final decision so that we update the style guide one more time now and hopefully afterwards things can stabilize.

[loresuso]

I agree with

I would prefer to keep the exe_flags=%evt.arg.flags in all rules with spawned_process and remove all the other usages instead of renaming them

+1 from me

[incertum]

Roger that plz help me double-checking if it is all correct. Thanks!

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 8f52e05fb16d5c735d0f04d9361d3f7b2319bc88 with latest tag falco-incubating-rules-2.0.0

Minor changes:

• Rule Potential Local Privilege Escalation via Environment Variables Misuse has been added
• Rule Adding ssh keys to authorized_keys has been added
• Macro glibc_tunables_env has been added

Patch changes:

• Rule Modify Shell Configuration File changed its output fields
• Rule Schedule Cron Jobs changed its output fields
• Rule Read ssh information changed its output fields
• Rule Change thread namespace changed its output fields
• Rule Change namespace privileges via unshare changed its output fields
• Rule Launch Privileged Container changed its output fields
• Rule Launch Excessively Capable Container changed its output fields
• Rule System procs network activity changed its output fields
• Rule Unexpected UDP Traffic changed its output fields
• Rule Non sudo setuid changed its output fields
• Rule Create files below dev changed its output fields
• Rule Contact EC2 Instance Metadata Service From Container changed its output fields
• Rule Contact cloud metadata service from container changed its output fields
• Rule Delete or rename shell history changed its output fields
• Rule Set Setuid or Setgid bit changed its output fields
• Rule Network Connection outside Local Subnet changed its output fields
• Rule Read environment variable from /proc files changed its output fields
• Rule Exfiltrating Artifacts via Kubernetes Control Plane changed its output fields

falco_rules.yaml

Comparing 8f52e05fb16d5c735d0f04d9361d3f7b2319bc88 with latest tag falco-rules-2.0.0

Minor changes:

• Macro containerd_activities has been added

Patch changes:

• Rule Directory traversal monitored file read changed its output fields
• Rule Read sensitive file trusted after startup changed its output fields
• Rule Read sensitive file untrusted changed its output fields
• Rule Contact K8S API Server From Container changed its output fields
• Rule Clear Log Activities changed its output fields
• Rule Create Symlink Over Sensitive Files changed its output fields
• Rule Create Hardlink Over Sensitive Files changed its output fields
• Rule Packet socket created in container changed its output fields
• Rule Redirect STDOUT/STDIN to Network Connection in Container changed its output fields
• Rule Linux Kernel Module Injection Detected changed its output fields
• Rule Detect release_agent File Container Escapes changed its output fields
• Rule PTRACE attached to process changed its output fields
• Rule PTRACE anti-debug attempt changed its output fields
• Rule Disallowed SSH Connection Non Standard Port changed its output fields

falco-sandbox_rules.yaml

Comparing 8f52e05fb16d5c735d0f04d9361d3f7b2319bc88 with latest tag falco-sandbox-rules-2.0.0

Patch changes:

• Rule Unexpected inbound connection source changed its output fields
• Rule Read Shell Configuration File changed its output fields
• Rule Update Package Repository changed its output fields
• Rule Write below binary dir changed its output fields
• Rule Write below monitored dir changed its output fields
• Rule Write below etc changed its output fields
• Rule Write below root changed its output fields
• Rule Write below rpm database changed its output fields
• Rule Modify binary dirs changed its output fields
• Rule Mkdir binary dirs changed its output fields
• Rule Launch Sensitive Mount Container changed its output fields
• Rule Launch Disallowed Container changed its output fields
• Rule Interpreted procs inbound network activity changed its output fields
• Rule Interpreted procs outbound network activity changed its output fields
• Rule Unexpected K8s NodePort Connection changed its output fields
• Rule Create Hidden Files or Directories changed its output fields
• Rule Detect outbound connections to common miner pool ports changed its output fields
• Rule Container Drift Detected (chmod) changed its output fields
• Rule Container Drift Detected (open+create) changed its output fields
• Rule Unprivileged Delegation of Page Faults Handling to a Userspace Process changed its output fields
• Rule Java Process Class File Download changed its output fields
• Rule Modify Container Entrypoint changed its output fields
• Rule BPF Program Not Profiled changed its output fields

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, incertum

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/rules/blob/main/OWNERS)~~ [Andreagit97,incertum] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[poiana]

LGTM label has been added.

Git tree hash: 502f5068f74538e8dc2bf16c29ba17c0f363dee6