fix: the correct usage is `<NA>` not `N/A`

[Andreagit97]

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area rules

Proposed rule maturity level

/area maturity-incubating

/area maturity-sandbox

What this PR does / why we need it:

Debugging some issues in Falco CI https://github.com/falcosecurity/falco/actions/runs/8845222090?pr=3177 I faced this inconsistency. The rule Non sudo setuid was triggered with user.name=<NA> because the macro known_user_in_container checks for N/A. This PR fixes the usages of N/A

Which issue(s) this PR fixes:

Special notes for your reviewer:

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92 with latest tag falco-incubating-rules-3.0.1

Minor changes:

• Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

• List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92 with latest tag falco-sandbox-rules-3.0.1

Minor changes:

• Macro etckeeper has been added
• Macro etckeeper_activities has been added

Patch changes:

• List user_known_k8s_ns_kube_system_images has some item added or removed
• List bpf_profiled_binaries has some item added or removed

[poiana]

LGTM label has been added.

Git tree hash: 3626b9b05994ca42dca614baccd974e23b022398

[Andreagit97]

/hold

[Andreagit97]

I will check if we need to keep both N/A and <NA> or <NA> is enough

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c with latest tag falco-incubating-rules-3.0.1

Minor changes:

• Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

• List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c with latest tag falco-sandbox-rules-3.0.1

Minor changes:

• Macro etckeeper_activities has been added
• Macro etckeeper has been added

Patch changes:

• List user_known_k8s_ns_kube_system_images has some item added or removed
• List bpf_profiled_binaries has some item added or removed

[Andreagit97]

Uhm Yamllint Github Actions / Yamllint suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-incubating-rules-3.0.1

Minor changes:

• Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

• List falco_privileged_images has some item added or removed

falco_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-rules-3.0.1

Minor changes:

• Macro known_drop_and_execute_activities has been added

Patch changes:

• List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-sandbox-rules-3.0.1

Minor changes:

• Macro etckeeper has been added
• Macro etckeeper_activities has been added

Patch changes:

• List user_known_k8s_ns_kube_system_images has some item added or removed
• List bpf_profiled_binaries has some item added or removed

[poiana]

LGTM label has been added.

Git tree hash: 97a3d7b7deada8bb67a3309916313eabda70e003

[Andreagit97]

/hold

[leogr]

Uhm Yamllint Github Actions / Yamllint suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here

you can ignore this for now, since here's an ongoing discussion https://github.com/falcosecurity/rules/pull/238

[poiana]

LGTM label has been added.

Git tree hash: 59041f53a260df0cdf68b9cb56a162a5ffe0f5e4

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, darryk10, incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/rules/blob/main/OWNERS)~~ [Andreagit97,incertum,leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[github-actions[bot]]

Rules files suggestions

falco-incubating_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-incubating-rules-3.0.1

Minor changes:

• Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

• List falco_privileged_images has some item added or removed

falco_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-rules-3.0.1

Minor changes:

• Macro known_drop_and_execute_activities has been added

Patch changes:

• List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-sandbox-rules-3.0.1

Minor changes:

• Macro etckeeper has been added
• Macro etckeeper_activities has been added

Patch changes:

• List user_known_k8s_ns_kube_system_images has some item added or removed
• List bpf_profiled_binaries has some item added or removed

[leogr]

/unhold