From 4746363517d87d8fef27dea800f0c00501b2855f Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Fri, 26 Apr 2024 12:03:36 +0200
Subject: [PATCH 1/2] fix: add `<NA>` check

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 rules/falco-incubating_rules.yaml |  4 ++--
 rules/falco-sandbox_rules.yaml    | 26 +++++++++++++-------------
 rules/falco_rules.yaml            |  3 ++-
 3 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
index a97dc6f9..cef71723 100644
--- a/rules/falco-incubating_rules.yaml
+++ b/rules/falco-incubating_rules.yaml
@@ -63,7 +63,7 @@
 # on the identity of the process performing an action such as opening
 # a file, etc., we require that the process name be known.
 - macro: proc_name_exists
-  condition: (proc.name!="<NA>")
+  condition: (not proc.name in ("<NA>","N/A"))
 
 - macro: rename
   condition: (evt.type in (rename, renameat, renameat2))
@@ -769,7 +769,7 @@
 # https://github.com/draios/sysdig/issues/954). So in that case, allow
 # a setuid.
 - macro: known_user_in_container
-  condition: (container and user.name != "N/A")
+  condition: (container and not user.name in ("<NA>","N/A"))
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of
diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml
index d5903087..dd0e44fb 100644
--- a/rules/falco-sandbox_rules.yaml
+++ b/rules/falco-sandbox_rules.yaml
@@ -68,7 +68,7 @@
 # on the identity of the process performing an action such as opening
 # a file, etc., we require that the process name be known.
 - macro: proc_name_exists
-  condition: (proc.name!="<NA>")
+  condition: (not proc.name in ("<NA>","N/A"))
 
 - macro: rename
   condition: (evt.type in (rename, renameat, renameat2))
@@ -1247,18 +1247,18 @@
 # below /etc as well, but the globbing mechanism
 # doesn't allow exclusions of a full pattern, only single characters.
 - macro: sensitive_mount
-  condition: (container.mount.dest[/proc*] != "N/A" or
-              container.mount.dest[/var/run/docker.sock] != "N/A" or
-              container.mount.dest[/var/run/crio/crio.sock] != "N/A" or
-              container.mount.dest[/run/containerd/containerd.sock] != "N/A" or
-              container.mount.dest[/var/lib/kubelet] != "N/A" or
-              container.mount.dest[/var/lib/kubelet/pki] != "N/A" or
-              container.mount.dest[/] != "N/A" or
-              container.mount.dest[/home/admin] != "N/A" or
-              container.mount.dest[/etc] != "N/A" or
-              container.mount.dest[/etc/kubernetes] != "N/A" or
-              container.mount.dest[/etc/kubernetes/manifests] != "N/A" or
-              container.mount.dest[/root*] != "N/A")
+  condition: (not container.mount.dest[/proc*] in ("<NA>","N/A") or
+              not container.mount.dest[/var/run/docker.sock] in ("<NA>","N/A") or
+              not container.mount.dest[/var/run/crio/crio.sock] in ("<NA>","N/A") or
+              not container.mount.dest[/run/containerd/containerd.sock] in ("<NA>","N/A") or
+              not container.mount.dest[/var/lib/kubelet] in ("<NA>","N/A") or
+              not container.mount.dest[/var/lib/kubelet/pki] in ("<NA>","N/A") or
+              not container.mount.dest[/] in ("<NA>","N/A") or
+              not container.mount.dest[/home/admin] in ("<NA>","N/A") or
+              not container.mount.dest[/etc] in ("<NA>","N/A") or
+              not container.mount.dest[/etc/kubernetes] in ("<NA>","N/A") or
+              not container.mount.dest[/etc/kubernetes/manifests] in ("<NA>","N/A") or
+              not container.mount.dest[/root*] in ("<NA>","N/A"))
 
 - rule: Launch Sensitive Mount Container
   desc: >
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
index 723c6f7a..2211dda6 100644
--- a/rules/falco_rules.yaml
+++ b/rules/falco_rules.yaml
@@ -74,8 +74,9 @@
 # the process name may be missing. For some rules that really depend
 # on the identity of the process performing an action such as opening
 # a file, etc., we require that the process name be known.
+# TODO: At the moment we keep the `N/A` variant for compatibility with old scap-files
 - macro: proc_name_exists
-  condition: (proc.name!="<NA>")
+  condition: (not proc.name in ("<NA>","N/A"))
 
 - macro: spawned_process
   condition: (evt.type in (execve, execveat) and evt.dir=<)

From 6b7c59b0c3bd514b5fc477c6a6b6d0d725fae5fe Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Mon, 29 Apr 2024 13:04:55 +0200
Subject: [PATCH 2/2] fix: add `""` case for user.name

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 rules/falco-incubating_rules.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
index cef71723..8653d42a 100644
--- a/rules/falco-incubating_rules.yaml
+++ b/rules/falco-incubating_rules.yaml
@@ -769,7 +769,7 @@
 # https://github.com/draios/sysdig/issues/954). So in that case, allow
 # a setuid.
 - macro: known_user_in_container
-  condition: (container and not user.name in ("<NA>","N/A"))
+  condition: (container and not user.name in ("<NA>","N/A",""))
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of