fix: add <NA> check

Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Apr 29, 2024 · a03adf2 · a03adf2
1 parent e65f251
commit a03adf2
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 13 deletions.
diff --git a/rules/falco-incubating_rules.yaml b/rules/falco-incubating_rules.yaml
@@ -769,7 +769,7 @@
 # https://github.com/draios/sysdig/issues/954). So in that case, allow
 # a setuid.
 - macro: known_user_in_container
-  condition: (container and user.name != "N/A")
+  condition: (container and not user.name in ("<NA>","N/A"))
 
 # Add conditions to this macro (probably in a separate file,
 # overwriting this macro) to allow for specific combinations of

diff --git a/rules/falco-sandbox_rules.yaml b/rules/falco-sandbox_rules.yaml
@@ -1247,18 +1247,18 @@
 # below /etc as well, but the globbing mechanism
 # doesn't allow exclusions of a full pattern, only single characters.
 - macro: sensitive_mount
-  condition: (container.mount.dest[/proc*] != "N/A" or
-              container.mount.dest[/var/run/docker.sock] != "N/A" or
-              container.mount.dest[/var/run/crio/crio.sock] != "N/A" or
-              container.mount.dest[/run/containerd/containerd.sock] != "N/A" or
-              container.mount.dest[/var/lib/kubelet] != "N/A" or
-              container.mount.dest[/var/lib/kubelet/pki] != "N/A" or
-              container.mount.dest[/] != "N/A" or
-              container.mount.dest[/home/admin] != "N/A" or
-              container.mount.dest[/etc] != "N/A" or
-              container.mount.dest[/etc/kubernetes] != "N/A" or
-              container.mount.dest[/etc/kubernetes/manifests] != "N/A" or
-              container.mount.dest[/root*] != "N/A")
+  condition: (not container.mount.dest[/proc*] in ("<NA>","N/A") or
+              not container.mount.dest[/var/run/docker.sock] in ("<NA>","N/A") or
+              not container.mount.dest[/var/run/crio/crio.sock] in ("<NA>","N/A") or
+              not container.mount.dest[/run/containerd/containerd.sock] in ("<NA>","N/A") or
+              not container.mount.dest[/var/lib/kubelet] in ("<NA>","N/A") or
+              not container.mount.dest[/var/lib/kubelet/pki] in ("<NA>","N/A") or
+              not container.mount.dest[/] in ("<NA>","N/A") or
+              not container.mount.dest[/home/admin] in ("<NA>","N/A") or
+              not container.mount.dest[/etc] in ("<NA>","N/A") or
+              not container.mount.dest[/etc/kubernetes] in ("<NA>","N/A") or
+              not container.mount.dest[/etc/kubernetes/manifests] in ("<NA>","N/A") or
+              not container.mount.dest[/root*] in ("<NA>","N/A"))
 
 - rule: Launch Sensitive Mount Container
   desc: >